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Preface 



Duration calculus (abbreviated to DC) represents a logical approach to the 
formal design of real-time systems. In DC, real numbers are used to model 
time^ and Boolean- valued (i.e. {0, l}-valued) functions over time are used to 
model states of real-time systems. The duration of a state in a time interval 
is the accumulated presence time of the state in the interval. DC extends 
interval logic to a calculus that can be used to specify and reason about 
properties of state durations. 

Research on DC began during the ProCoS project (ESPRIT BRA 3104), 
when the project was investigating formal techniques for designing safety- 
critical real-time systems. In a project case study of a gas burner system, 
it was realized that state duration was useful for specifying the real-time 
behavior of computing systems. A research program on state duration was 
therefore initiated by the project in 1990. The first paper on DC was pub- 
lished in 1991. Since then, research on DC has covered the development of 
logical calculi, their applications and mechanical support tools. The success 
of DC has also stimulated similar research on other formal approaches. 

The aim of this book is to present DC in a systematic and coherent way. 

1. The book emphasizes the Boolean state model of real-time systems and 
its formalization in DC. The model comprises Boolean states, state transi- 
tions and events, and superdense transitions. The formalization is carried 
out in DC with both contracting and expanding interval modalities, so 
that not only safety properties but also liveness and fairness properties of 
real-time systems can be handled. In order to analyze the dependability 
of real-time systems, a probabilistic duration calculus is introduced. 

2. The book explains how DC can be applied to formal specification and 
verification of real-time systems through selected case studies, which in- 
clude software systems, e.g. a real-time scheduler, and software-embedded 
systems (also called hybrid systems), e.g. a gas burner. 

3. The book provides readers with theoretical results on the completeness, 
decidability and a model-checking algorithm of DC. These results are 
fundamental to the mechanical support tools for DC, but the tools them- 
selves are not elaborated on in the book. 
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1. Introduction 



1.1 Real-Time Systems 

A real-time system is a computing system with real-time requirements. Let 
us consider the following two examples of real-time systems. 



1.1.1 Two Examples 
Deadline-Driven Scheduler 

Consider a finite number of processes, say pi,p 25 • • • which share a single 
processor. Each process pi has a periodic behavior. In a period of length Tj, 
process pi requests a constant amount of processor time Q, where Ci <Ti. 

We assume that the request periods for process pi start at times A: • T^, 
for A: = 0, 1, 2, 3, . . . . 

The purpose of the scheduler is to grant processor time to the processes, 
i.e. to schedule the processes, so that process pi runs on the processor for Ci 
time units in every period, for i = 0, 1, . . . , m. 

Figure 1.1 shows a schedule for first two periods of process pi. In the first 
period, from time 0 to time T^, three pieces of processor time, with durations 
Ci^ , Ci^ and Ci^ are scheduled for pi. The requirement of pi is fulfilled in the 
first period, since Ci = Ci^ + Ci^ + Ci^. In the second period, from time Ti 
to time 2 • Ti, two pieces of processor time are scheduled for pi. However, the 
requirement of pi is not satisfied in the second period, as Ci > C[^ + C'i^. 

c^, q, ^ q, 

Pi' 1 I I I I I I I I I I 

0 Ti 2 Ti 



Ci — Ci-^^ 4* Ci2 + Cir. 

Ci > c[, + q. 



Fig. 1.1. Schedules for pi in the first two periods 
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The requirement for the scheduler is to fulfill all requests of the processes. 
This is a real-time requirement, as any request of a process must be fulfilled 
before its expiration. 

The deadline-driven scheduling algorithm was proposed in [85]. It satis- 
fies this requirement, under the assumptions that the scheduler overhead is 
negligible and 



E 




1 . 



In this algorithm, the expiration time of a request is called the deadline 
of the request. The algorithm dynamically assigns priority to each process 
according to the urgency, i.e. the deadline, of its current request. A process 
will be assigned the highest priority if it is the most urgent, i.e. the deadline 
of its current request is the nearest, and will be assigned the lowest priority 
if it is the least urgent, i.e. its deadline is the furthest. At any instant, only 
one of the processes, with the highest priority and an unfulfilled request, can 
be selected to occupy or even preempt the processor. 

The correctness of the algorithm is not obvious. Reference [85] has pro- 
vided an informal proof of it. □ 



Gas Burner 

This example was first investigated in [145]. A gas burner is either heating 
when the fiame is burning or idling when the fiame is not burning, and it 
alternates indefinitely between heating and idling. Usually, no gas is fiowing 
while it is idling. However, when it changes from idling to heating, gas must 
be fiowing for a little time before it can be ignited, and when a fiame failure 
occurs, gas will be fiowing before the failure is detected and the gas valve is 
closed. Hence, there may be a time interval in which gas is fiowing and the 
fiame is not burning, i.e. where gas is leaking. A design of a safe gas burner 
must ensure that the time intervals where gas is leaking do not become too 
long. 

Let us assume that the ventilation required for normal combustion would 
prevent a dangerous accumulation of gas provided that the proportion of leak 
time is not more than one-twentieth of the elapsed time for any time inter- 
val at least one minute long - otherwise the requirement would be violated 
immediately on the start of a leak. This is also a real-time requirement. 

Turning next to the task of design, certain decisions must be taken about 
how the real-time requirement is to be met. For example, it could be decided 
that for any period where the requirement is guaranteed, any leak in this 
period should be detectable and stoppable within one second; and to prevent 
frequent leaks, it is acceptable that after any leak in this period, the gas 
burner rejects the switching on of gas for thirty seconds. The conjunction of 
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these two decisions implies the original requirement, a fact which must be 
proved before implementation proceeds. 

After justification of the design decisions, a computer program can be de- 
signed accordingly, and hosted in the gas burner. This program interacts with 
a fiame sensor to detect flame failures, and controls the opening and closing 
of the gas valve, so that the design decisions, and hence the requirement, can 
be satisfied. □ 

Both the deadline-driven scheduler and the gas burner are real-time sys- 
tems, although the first one is a software system, and the second is a software- 
embedded system, also called a hybrid system. 

Duration calculus (abbreviated to DC) is a logical approach to designing 
real-time systems. Real numbers are used to model time, and functions from 
time to Boolean values are used to model the behavior of real-time systems. 
On the basis of interval logic, DC provides a formal notation to specify prop- 
erties of real-time systems and a calculus to formally prove those properties, 
such as the satisfaction of the requirements for the deadline-driven scheduling 
algorithm and for the design decisions of the gas burner. 



1.1.2 Real Time 

At the level of requirements, real time is often understood popularly as con- 
tinuous time. However, at the level of implementation, a piece of software is 
implemented in a computer where time progresses discretely according to the 
machine cycle of the computer. 

For example, the gas burner, a software-embedded system, is used in 
an environment where time progresses continuously. However, the embedded 
software of the gas burner may run in a computer with a certain machine 
cycle, and interacts with other physical components via sensors and actuators 
which operate discretely. 

Although the deadline- driven scheduler, a software system, is hosted in a 
computer where time progresses discretely, the correctness of the deadline- 
driven scheduling algorithm is expected to be independent of the specific host 
computer, i.e. the algorithm can be better understood in terms of continuous 
time. 

Therefore, the interface between continuous time and discrete time has 
become an important research topic in designing real-time systems. 

For DC, we have adopted continuous time and chosen real numbers to 
model this continuous time. Discrete time, as a countable subset of the real 
numbers, can be defined in DC. It is definitely true that not every requirement 
satisfiable in continuous time can be implemented by a computer. For exam- 
ple, no computer can send out two signals separated by a distance less than 
its machine cycle, although, because of the density of continuous time, one 
can always find two time instants with an arbitrarily small distance between 
them. 
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In [32], a subset of DC formulas is identified, from which discrete im- 
plementations called digital controllers can be synthesized. References [19, 
20, 25, 137, 138, 156] introduce discrete states to approximate continuous 
states, and provide rules to refine continuous specifications expressed as DC 
formulas into discrete implementations. 

1.1.3 State Models 

In DC, states and events are used to model the behavior of real-time systems. 
However, the book concentrates on state models until Chap. 9, where state 
models are extended with the addition of events. A Boolean state model of 
a real-time system is a set Pi, P2, • • • , . of Boolean-valued (i.e. {0, 1}- 

valued) functions over time, i.e. 

Pi : Time -> {0, 1} , 

where Time is the set of the real numbers. 

Each Boolean- valued function, also called a Boolean state (or simply a 
state) of the system, is a characteristic function of a specific aspect of the 
system behavior, and the whole set of Boolean- valued functions characterizes 
all of the relevant aspects of the behavior. 

Deadline-Driven Scheduler 

In order to prove the correctness of the deadline-driven scheduler, we intro- 
duce the following states to model the behavior of the scheduler: 

Run^ : Time {0? 1} 

Stdi : Time {O5I} 

Urgi^ : Time ^ {0, 1} , 

for ij = l,2,...,m. 

The states Run^ {i = 1, 2, . . . ,m) are used to characterize the processor 
occupation. Ruiii{t) = 1 means that pi is running in the processor at time t, 
while Runi{t) = 0 means that pi is not running at t. 

The states Std^ {i = 1, 2, . . . , m) characterize the standing of the request. 
Stdi(^) = 1 means that at time t the current request of pi is still standing. 
Namely, the current request of pi is yet to be fulfilled at time t. Stdj(t) = 0 
means that at t the current request of pi is not standing anymore. In other 
words, the current request of pi has been fulfilled by time t. 

For a pair of processes pi and pj {i ^ j), the state Urg^^ describes which 
of the processes is more urgent, where urgency is defined in terms of the 
distance to the start of the next request period. Thus, Urg^^ (^) = 1, for 
i,j = 1, 2 , . . . ,m and i 7^ j, means that pi is more urgent than pj at time t, 
and Urg^^ (t) = 0 means that pi is less urgent than or as urgent as pj at time 
t. 
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It is obvious that any set of the above functions which characterizes a 
possible behavior of the deadline-driven scheduler must satisfy certain prop- 
erties. For example, at any time if Run^(t) = 1, then = 0 for j ^ i, 

as the processes share a single processor. The properties which capture the 
scheduling algorithm are more complicated. 

DC provides a formal notation to specify the real-time properties of the 
scheduling algorithm in terms of states Run^, Std^ and Urg-^ . Furthermore, 
the real-time requirement of the scheduler can also be expressed in DC 
through these states, and the correctness of the scheduling algorithm can 
then be verified using DC. □ 

A Boolean state model of a system represents an abstraction of the be- 
havior of the system, and may be refined to more primitive states during the 
design and the implementation of the system. In particular, for designing a 
software-embedded system, a Boolean- valued state may be finally refined to 
real-valued functions which model the behavior of physical components of 
the system, as in control theory. We call the real- valued functions a real state 
model of the system. Consider the example of the gas burner. 

Gas Burner 

The gas burner is a software-embedded system. To verify the design decisions 
against the requirement, one may start with a single Boolean state to model 
the critical aspect of the system 

Leak : Time {0, 1} , 

where Leak(t) = 1 means that gas is leaking at time f, and Leak(t) = 0 means 
that gas is not leaking at t. 

However, at a later stage of the design one may have to specify the phases 
of burning and idling of the gas burner, and introduce more primitive Boolean 
states of the system such as Gas and Flame to characterize the flowing and 
burning of gas. Then Leak can be pointwise defined as a Boolean expression 
containing Gas and Flame: 

Leak(t) = Gas(^) A -iFlame(t) , 
for any t G Time. 

Boolean operators (e.g. -i and A) for states are therefore included in DC, 
so that a composite state of a real-time system can be refined to primitive 
states of the system. 

However, the flow of gas is actually a real-valued function of time, and 
can be determined by the degree of opening of a gas valve. To describe the 
valve, a function 



Valve : Time -> [0, 0] 
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is introduced, where Valve(^) = 6 means that the valve is opened to a degree 
^ (0 < ^ < 0) at time t. 

The Boolean state Gas can be regarded as an abstraction of the real- 
valued function Valve. For example, one may define this state such that gas 
is present at t when Valve(^) is above some threshold Oq {0 < Oq < 0): 




1, if Valve(^) > 9q 
0, otherwise 



In other words. Gas becomes the characteristic function of a property of the 
real- valued function Valve. 

Furthermore, the opening and the closing of the valve are controlled by a 
piece of software embedded in the gas burner, which governs the application 
of a force to open or close the valve. This applied force can be expressed as 
another real- valued function: 



Force : Time — [— i?, i?], 

where i? stands for the greatest strength of the applied force. The real- valued 
functions Force and Valve are called real states of the gas burner, and join 
with other functions to form a real state model of the system. The relation 
between Force and Valve may be defined by a differential equation obtained 
from mechanics. □ 

As a design calculus for software-embedded systems, research on DC has 
explored possibilities to capture parts of real analysis (see [165, 170]), and 
hence to specify real state models of software-embedded systems. However, 
this book will not present a real state model. 



1.1.4 State Durations 

The notion of state duration is used to specify the behavior of real-time sys- 
tems. The duration of a Boolean state over a time interval is the accumulated 
presence time of the state in the interval. 

Let P be a Boolean state (i.e. P : Time {0, 1}), and [6, e] an interval 
(i.e. 6 , e G Time and e > b). The duration of state P over [6, e] equals the 
integral 

f,p{t)dt. 

Let us use the two examples described above to illustrate the importance of 
state durations in specifying real-time behavior. 



Deadline-Driven Scheduler 

The real-time requirement of the scheduler is to fulfill all the process re- 
quests before their expiration. This requirement can be expressed in terms of 
durations of the states Run^, for z = 1, 2, . . . , m. 
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Let us assume that all the processes raise their first request at time 0. 
Thus, every nth request of pi is raised at time (n — l)Tj and expires at time 
nTj, where n = 1,2,... . Therefore, the scheduler fulfills the nth request of 
Pi iff the accumulated run time of pi in the interval [(n — l)Ti,nTj] equals 
the requested time Ci. Namely, the duration of state Run^ over the interval 
[(n — l)Ti,nTi] is equal to Cp. 

Hence, the requirement is satisfied by the scheduler iff the duration of Run^ 
over the interval [(n — l)Ti,nTi] is equal to Ci, for all i = 1,2, ... ,m and 
n = l,2,.... □ 

Gas Burner 

The real-time requirement of the gas burner is that the proportion of leak 
time in an interval is not more than one- twentieth of the interval, if the 
interval is at least one minute long. This requirement can be expressed in 
terms of the durations of Leak as follows: 

(e — &) > 60 s 20j^Leak(^) dt <{e — h) , 

for any interval [6, e]. □ 

A mathematical formulation of these two requirements can hardly leave 
out state durations. Since the processor may be preempted dynamically, the 
duration of Run^ extracts the accumulated running time of pi from the dy- 
namic occupation of the processor. Also, since gas leaks occur owing to ran- 
dom flame failures, the duration of Leak extracts the accumulated leak time 
of gas from the random flame failures. Therefore, state durations are adopted 
in DC to specify the behavior of real-time systems. 

The distance between states (or events) is another important measure- 
ment of real-time systems. This was studied extensively before the develop- 
ment of DC, for example, by the use of timed automata [5], real-time logic 
[69], metric temporal logic [72] and explicit clock temporal logic [54]. 

However, state durations are more expressive than distances between 
states in the sense that the latter can be expressed in terms of the former, but 
not vice versa. With state durations, one can first express the lasting period 
of a state. That a presence of state P lasts for a period [c,d\ (for d > c), 
written P[c,d\, can be expressed as follows: 

f^P{t)dt = {d-c)>0, 

if we do not care about instantaneous absences of P. This expression is read 
in real analysis as 

“P appears almost everywhere in [c, of|” . 

Thus, real-time constraints on the lasting periods of states can be expressed 
in terms of state durations. 
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Gas Burner 

Consider the first design decision in the case of the gas burner. Let [6, e] be 
an interval where we want to guarantee the requirement of the gas burner. 
The first design decision is that any leak in [h, e] should not last for a period 
longer than one second. This can be expressed as 

\/c,d : b < c < d < e.(Leak[c, d] => {d — c) < Is) . 

Real-time constraints on distances between states can be expressed in 
terms of state durations similarly. Consider the second design decision in 
the case of the gas burner. The second design decision is that the distance 
between any two consecutive leaks in the guarantee period [6, e] must be at 
least thirty seconds long: 

Vc, d,r,s : b < c < r < s < d < e. 

(Leak[c, r] A NonLeak[r, s] A Leak[s, d\) => (s — r) > 30 s , 

where NonLeak is a state defined from Leak using the negation (-i): 

NonLeak(^) = -iLeak(^) , 

for any t G Time. 

The above formulation of the second design decision for the gas burner 
can be changed to a syntactically weaker but semantically equivalent one: 

Vc, d^r, s : b < c < r < s < d < e. 

(Leak[c, r] A NonLeak[r, s] A Leak[s, d\) => (d — c) > 30 s . 

The equivalence of these two formulas can be proved as follows. It is 
obvious that the first formula implies the second one. In order to prove the 
other implication, we assume that there are 

c' < r < s < d' in [b, e] 

such that 

Leak[c',r], NonLeak[r, s], Leak[s,d'] and {s - r) <30. 

Under this assumption, we let 

7/ = (30 - (s - r)) > 0 
c = max{c', (r — (^/3))} 
d = min{d', {s + (r?/3))} . 
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Then, it is easy to prove that 
c < r < s < d in [b, e] 



and 



Leak[c, r], NonLeak[r, s], Leak[s,d] and {d — c) <30. 

So, by the contraposition law of propositional logic, we complete the proof of 
the equivalence of the two formulations of the second design decision. □ 

However, the equivalence of these two formulas holds only for continuous 
time. In the rest of this book, when we are concerned with a continuous time 
domain, we shall adopt the second formulation, since it corresponds to a 
simpler formalization of the second design decision for the gas burner in DC. 
In Chap. 12 we shall deal with a discrete time domain and shall formalize 
the second design decision differently. 

By axiomatizing integrals of Boolean-valued functions, DC provides a 
possible way to introduce notions of real analysis into formal techniques for 
designing software-embedded real-time systems. Notions of integral and/or 
differential have also been adopted in studies of automata [4, 99], statecharts 
[92], temporal logic of actions (TLA) [76] and communicating sequential pro- 
cesses (CSP) [55], when considering software-embedded systems. 

State durations, as integrals of Boolean- valued functions, are functions 
from time intervals to real numbers. The state durations of DC have been 
axiomatized on the basis of the interval logics proposed in [1, 27, 43], which 
can be regarded as logics for functions of time intervals. 



1.2 Interval Logic 

By interval logic we mean logics in the sense of [1, 27, 43], for example. We 
view these logics as logics for time intervals. Let Intv be the set of time 
intervals, i.e. 

Intv = { [5, e] I 6, e G Time A 5 < e } . 



1.2.1 Interval Variables 

In these logics, we can express properties of functions of time intervals, called 
interval variables. 

Let Vi (for i = 1, 2, 3, 4) be interval variables, i.e. 

Vi : Intv — )• M, 



where M denotes the set of real numbers. 
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A formula such as v\ < {v2 + U3 • U4) is interpreted in interval logic as a 
function from Intv to the truth values {tt,ff}: 

< (t^2 + U3 • U4) : Intv {tt,ff} . 

An interval [6, e] satisfies the formula iff the value of v\ of [b, e] is less than 
or equal to the sum of the value V2 of [6, e] and the product of the values of 
U3 and V4, of [b, e]. 

Therefore, interval logic provides a functional calculus for specifying and 
reasoning about properties of functions of intervals in a succinct way, such 
that the arguments of the functions (i.e. the intervals) are not referred to 
explicitly. 

The interval length is a specific interval variable denoted i.e. 

^ : Intv -> M. 

For an arbitrarily given interval [b, e], I delivers the value (e — b), i.e. the 
length of [b, e]. 

The duration of the state P (written fP) is another interval variable, 

JP : Intv E. 

For an arbitrarily given interval [b, e], the value of the interval variable JP is 
the duration of P in [b, e], i.e. the value 

fbP{t) dt . 



Gas Burner 

The requirement of the gas burner can be expressed in terms of the state 
duration JLeak as 

GhReq = i >60 => 20 JLeak < £ , 

where 60 stands for 60 seconds. (Henceforth we choose the second as the time 
unit in the example of the gas burner.) □ 

1.2.2 Interval Modalities 

The set of intervals Intv is the semantic domain of interval logic. In interval 
logic, modalities are used to define structures among intervals, such as one 
interval is a subinterval of another interval, or an interval is made of two 
adjacent subintervals. Those structures are present in the descriptions of the 
two design decisions for the gas burner. For example, the first design decision 
expresses a real-time property of a subinterval in which leaking occurs. The 
second design decision expresses a real-time requirement for three adjacent 
subintervals. 
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In the literature of mathematical logic, logics of modalities are called 
modal logics [15, 66]. The semantics domain of a modal logic is usually called 
a frame and it consists of a set of worlds and a reachability relation of the 
worlds. Thus, an interval logic is a modal logic which takes intervals as worlds. 

In [1, 43, 147], twelve unary modalities and three binary modalities are 
suggested for defining various interval reachabilities. We list here four of the 
modalities, which are used later in this chapter. 

The Subinterval Modality O 

The subinterval modality <> (Fig. 1.2) is a unary modality. For any formula 
0, 0(/> is a new formula which holds for an interval iff (/) holds for some 
subinterval 

Mathematically, an arbitrary interval [5, e] satisfies Ocj) iff there exist c, d 
such that b < c < d < e and the interval [c, d] satisfies 0. Thus, from the 
interval [6, e] one can reach its subintervals with O0. 



O0 



be d 

I 1 h 

V / 

0 



Fig. 1.2. The modality O 



e 



The dual of O is □, which is defined as 
□0 = -iO— 10 . 

Hence, [5, e] satisfies D0 iff any subinterval of [5, e] satisfies 0. 

With □, one can formulate the first design decision for the gas burner, 
that any leak in the guarantee period of the gas burner must be stoppable 
within one second. 

First, the mathematical definition of P[c, d] (i.e. P takes the value 1 almost 
everywhere in a nonpoint interval [c, d]) can be expressed as a formula without 
mentioning the interval explicitly: 

[P] = = £ A £>0. 

Then, the following formula is a formalization of the first design decision: 
Desi = □([Leak'l ^ ^ < 1) • 



□ 
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The Chop Modality ^ 

The chop modality ^ (Fig. 1.3) is a binary modality introduced into interval 
logic by [43]. For formulas (j) and 'ip, the new formula is satisfied by an 
interval iff the interval can be chopped into two adjacent subintervals such 
that the first subinterval satisfies (p and the second one satisfies \p. 

In other words, the interval [6, e] satisfies the formula (p ^'ip iff there exists 
m {b <m < e) such that [6, m] satisfies (p and [m,e] satisfies ip. 






b 




m 




e 










1 



■V* 

0 i’ 



Fig. 1.3. The modality 



The reachability relation defined by ^ is a ternary one. It provides access 
to adjacent subintervals of an interval, and hence defines a temporal order 
among subintervals of an interval. 

With ^ and □, one can formalize the second formulation of the second 
design decision for the gas burner given in Sect. 1.1.4: 

Des 2 = □(([Leakf [-iLeak]! "^[Leakl) ^ > 30) . 

To prove the correctness of the two design decisions is therefore to prove 
the validity of the formula 

{Desi A Des 2 ) => GbReq . 

In fact, the subinterval modality O can be derived from the chop modality, 
since 

0(/> ^ (true^(0^true)) , 

where “true” stands for a formula which is satisfied by any interval. Therefore, 
the second design decision (as well as the first one) for the gas burner can be 
expressed in an interval logic of state durations with ^ as the only modality. 

□ 

A modality is called contracting if the modality provides access only to 
inside parts of a given interval, i.e. subintervals of the interval. O and 
are two examples of contracting modalities. With the contracting modality 

we have expressed the two design decisions for the gas burner which can 
guarantee the sa/e^^critical requirement of the gas burner. 
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However, contracting modalities cannot express unbounded liveness and 
fairness properties of computing systems, since these properties are about 
properties outside any given time interval. Modalities which provide access 
to the region outside a given interval are called expanding modalities. In the 
following we give two examples of expanding modalities. 

The Right Neighborhood Modality O,. 

The modality (Fig. 1.4) is a unary modality. An interval satisfies Oy.(/) iff 
a right neighborhood of the ending point of the interval satisfies (j). 

Mathematically, [6, e] satisfies O^cf) iff there exists d> e such that interval 
[e,d\ satisfies (j). 



OrCj) (j) 

I 1 1 

b e d 



Fig. 1.4. The modality Or 



Thus, Or provides access to right neighborhoods of e from [&, e]. Since 
right neighborhoods of e are outside [&, e], O^. is an expanding modality. 

The modality is the dual of and is defined as 

□ = -nOr~'(l > . 

That is, an interval satisfies iff any right neighborhood of the ending 
point of the interval satisfies cf). 

With Or^ one can specify properties related to future time, such as liveness 
and fairness properties of computing systems. Consider the example of the 
gas burner. Let HeatReq be a state to characterize a request for heat from 
the gas burner. The formula 

|[HeatReq]| => 0^(JFlame > 0) 

expresses the condition that if one raises a heat request, then there will exist 
a presence of Flame in the future. This formula can represent an additional 
requirement for the gas burner, to reject a safe but dead gas burner. 



The Left Neighborhood Modality Oi 

The modality Oi (Fig. 1.5) is a unary modality. An interval satisfies 0^0 iff a 
left neighborhood of the beginning point of the interval satisfies (j). 
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0 

/ 

I 

c 



+ 

b 



Oi(j> 



e 



Fig. 1.5. The modality Oi 



Mathematically, [6, e] satisfies 0|(/) iff there exists c <b such that interval 
[c, b] satisfies 0. 

Thus, the modality Oi provides access to the past time of a given interval. 
It is also an expanding modality. 

The dual of Oi is designated by □/. An interval [6, e] satisfies □/(/> iff any 
left neighborhood of b satisfies cj): 

= -> 0 ? -<(/). 



□ 

In Chap. 11 of this book, it is proved that all twelve unary modalities and 
three binary modalities of interval logic can be derived from and Ojf in a 
first-order logic with interval length £. However, this book will use ^ as the 
only modality, except in Chap. 11, where the liveness and fairness properties 
of computing systems are discussed. 



1.3 Duration Calculus 

Research on DC was initiated by the case study [145] in connection with the 
ProCoS project (ESPRIT BRA 3104 and 7071). Several real-time formalisms 
were investigated in order to specify requirements and design decisions for a 
gas burner system; but they all failed in this case study. Two main obser- 
vations of this case study were that the notion of a time interval was useful 
and that the notion of a state duration was convenient. This led to the first 
publication on DC [168] in 1991. Since then, research on DC has considered 
different models of real-time systems, applications of DC and mechanical 
support tools for DC. 

In [161], there is a brief overview of early research on DC, and in [51], 
there is a detailed account of the logical foundations of DC. 

1.3.1 Models 

Different models are used by designers of real-time systems at different design 
stages. In order to accommodate all necessary models, sets of functions over 
time, called states, are used to model real-time systems in DC. In the state 
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models, real- valued functions are called real states of systems, and character- 
istic functions of properties of underlying real states are called Boolean states. 
Boolean states are assumed stable, i.e. any presence (or absence) of a Boolean 
state must last for some period, and are represented by Boolean- valued step 
functions. Events are taken to be transitions of Boolean states. 

First, a basic calculus - the calculus for durations of Boolean states - was 
developed, and then other models were introduced by adding to the basic 
calculus extra axioms, which formalize the models and also their interrelations 
with the Boolean state model. 

Boolean State Model 

The basic calculus of DC [168] axiomatizes state durations for the Boolean 
state model, i.e. integrals of Boolean- valued functions, under an assumption 
of finite variability (also called the non- Zeno phenomenon) of states. The 
assumption of finite variability stipulates that any state can only change its 
presence and absence finitely many times in any bounded time period. That 
is, only finitely many state transitions can take place in any bounded time 
period. The interval modality used in the basic calculus is the chop modality 

This calculus can be used to specify and verify state-based safety prop- 
erties of real-time systems. Formalizations of other models are conservative 
extensions of this calculus. 



Boolean State and Event Model 

The Boolean state and event model was studied in [164, 169]. 

In [169], an event is a Boolean- valued J-function, i.e. a Boolean- valued 
function with a value of 1 at discrete points. This means that an event is 
an instant action, and an event takes place at a given time point iff the 
Boolean- valued 5-function of the event takes the value 1 at that point. By 
linking events to state transitions, this model can be used to refine from state- 
based requirements, via mixed state and event specifications, to event-based 
specifications of programs. 

However, with integrals of functions, one cannot capture the value of a 
function at a point, since the integral of a function at a point is always equal 
to zero, no matter what the value of the function at that point is. In [169], 
integrals of Boolean- valued functions are replaced by their mean values. The 
mean value of a Boolean- valued function P, designated P, is a function from 
intervals to [0, 1], i.e. 

P : Intv -> [0, 1] , 
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and is defined in real analysis as follows: 

JlP(t) dt/{e — 6) if e > 6 
P(e) ife = 6 ’ 

for any interval [b, e] . 

Therefore, one can describe point properties of Boolean- valued functions 
by using their mean values in point intervals, and at the same time one can 
also define the integral of a Boolean- valued function P\ 

fp = p-i. 

Additional axioms and rules for reasoning about ^-functions and state tran- 
sitions were developed in [169]. 

The approach in [164] is to continue using the basic calculus for the in- 
tegral of a Boolean- valued function, but atomic formulas to stand for events 
are added to the basic calculus. This book will follow the approach of [164] 
to introduce state transitions and events into the Boolean state model. 




Real State Model 

A real state model consists of a set of real- valued functions which describe the 
behavior of physical components of a software-embedded system. By using a 
real state model, we introduce structures into Boolean states, and a Boolean 
state becomes a characteristic function of a property of real states of the 
model. Therefore, specifications and reasoning at the level of the state may 
have to employ real analysis. 

In [170], it was investigated how DC can be combined with real analysis, 
so that real state models can be specified within the framework of DC. In 
[165], this research was further developed by the formalization of some parts 
of real analysis using the left and right neighborhood modalities. 



Dependability 

The dependability of an implementation with regard to a given requirement 
can be quantitatively measured by a satisfaction probability of the require- 
ment for this implementation. 

In the context of the Boolean state model and a discrete time domain, 
the work presented in [86, 87, 89, 90] provides designers with a set of rules to 
reason about and calculate the satisfaction probability of a given requirement, 
formalized using DC, with respect to an implementation represented as a 
finite automaton with history- independent transition probabilities. 

In [22], this work was generalized to a continuous time domain. 
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Finite-Divergence Model 

The assumption of finite variability of states and events stipulates that within 
a finite time period, state transitions and events can happen only finitely 
many times. The finite- variability assumption is always adopted in the case 
of software systems where time progresses discretely. 

The notion opposite to finite variability is called finite divergence (also 
called the Zeno phenomenon). Continuous mathematics does not reject finite 
divergence, and introduces the notion of a limit in order to study finite di- 
vergence. In [48], the finite-divergence model was formalized by introducing 
into DC some rules to calculate a state duration in a finite-divergence model 
as a limit of its approximations in a finite- variability model. 

Superdense Computation 

A superdense computation is a sequence of operations which is assumed to be 
timeless. This is an abstraction of a real-time computation within a context 
with a grand time granularity. This assumption is known as the synchrony 
hypothesis and has been adopted in the case of digital control systems, where 
the cycle time of an embedded computer may be nanoseconds, while the 
sampling period of a controller may be seconds. Therefore, the computation 
time of the embedded software of the digital control system is negligible, and 
computational operations can be abstracted as timeless actions. 

To accommodate timeless operations, [164] adapts the chop modality and 
renames it the superdense chop. This can chop a time point in a grand time 
space into multiple points in a finer space, and hence the superdense chop 
introduces structure into a time point. 

By generalizing the projection operator [97] of interval temporal logic, 
[42] introduced into DC the visible and invisible states, and computed non- 
negligible time through projection onto the visible state. 

Thus, the properties of superdense computation can also be specified and 
verified in DC. In [107, 114], other approaches are considered for treating the 
synchrony hypothesis within the framework of DC. 

Expanding Modalities 

With contracting modalities such as and O, one can specify only safety 
properties of real-time systems. 

In order to specify unbounded liveness and fairness properties of real-time 
systems within the framework of DC, [31, 103, 139, 165] introduced expand- 
ing modalities. In [165], it was proved that the left and right neighborhood 
modalities Oi and are adequate, in the sense that the other contracting 
and expanding modalities suggested in [1, 43, 147] can be derived from them 
in a first-order logic with an interval length £. The completeness of the first- 
order calculus for 0[ and given in [165] was proved in [9], and, in [8], the 
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completeness was proved for a combination of a first-order temporal logic and 
an interval logic with neighborhood modalities. 

In [31], an interval logic where intervals have a direction was suggested. 
This logic is based on the chop modality, but the “chop point” is allowed to be 
outside the interval under consideration, and in this way the chop modality 
becomes expanding. This logic, called signed interval logic (SIL), was further 
developed in [120, 123]. 

Infinite Intervals 

The behavior of a real-time system, such as the deadline-driven scheduler 
or the gas burner considered here, is often assumed to be infinite. However, 
DC is a logic of finite intervals. An infinite behavior is therefore specified in 
DC as the set of all finite prefixes of the behavior. To specify liveness and 
fairness properties of the behavior of a system in terms of its finite prefixes, 
expanding modalities have been introduced. 

An alternative to expanding modalities is to introduce infinite intervals 
into DC. Extensions of DC which allow infinite intervals were established 
in [117, 162]. These extensions include both finite and infinite intervals, and 
can straightforwardly express and reason about both terminating and infinite 
behaviors of real-time systems. References [117, 118, 119] also compare the 
expressive power of these extensions with the expressive power of monadic 
logic of order. 



Higher-Order and Iteration Operators 

When DC is applied to real-time programming, it becomes inevitable that one 
introduces advanced operators into DC corresponding to the programming 
notions of local variables and channels, and of the loop. 

In [39, 41, 60, 108, 110, 163], the semantics and proof rules of the (higher- 
order) quantifiers over states and the // operator were investigated. It is 
interesting to discover that, because of the finite variability of states, the 
quantifiers over states can be reduced to first-order quantifiers over global 
variables, and also that the superdense chop can be derived from the higher- 
order quantifiers. 



1.3.2 Applications 

The applications of DC focus on the formal design of real-time systems. 

Case Studies of Software- Embedded Systems 

DC has been applied to case studies of many software-embedded systems, 
such as an autopilot [126], a railway crossing [141] and interlock [127], a water 
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level monitor [30, 64], a gas burner [127], a steam boiler [31, 83, 135], an air 
traffic controller [68], a production cell [113], a motor-load control system 
[157], an inverted pendulum [151], a chemical concentration control system 
[153], a heating control system [155], a redundant control system [36] and a 
hydraulic actuator system [125]. A case study for formalizing and synthesizing 
an optimal design of a double-tank control system was conducted in [62]. 

On the basis of these case studies, a methodology and notation for de- 
signing software-embedded systems were studied and developed in [16, 21, 
149, 171]. 



Real-Time Semantics, Specification and Verification 

In order to apply DC to the specification and verification of real-time systems, 
techniques for integrating DC with other formalisms such as CSP, phase 
transition systems, Verilog and RAISE have been developed in [37, 57, 59, 
61, 78, 152], where DC has been used to define the underlying semantics. 
In [88], a uniform framework for DC and timed linear temporal logic was 
presented. 

In [63], CSP, Object-Z and DC were combined into a uniform framework 
for the specification of processes, data and time, based on a smooth integra- 
tion of the underlying semantic models. 

In [58, 133, 134, 164, 166], DC was used to define the real-time semantics 
for OCC AM-like languages. In [164], it was assumed, in the semantics of an 
OCCAM-like language, that assignments and message passings take no time, 
and can form a superdense computation. In [171], a semantics was given to a 
CSP language with continuous variables which was proposed in [55] and can 
be used to describe software-embedded systems. 

In [98], DC was used to define a real-time semantics for SDL, while [95] 
embedded a subset of DC into a first-order logic of timed frames and hence 
into SDL. Reference [109] defined a DC semantics for Esterel. Reference [71] 
proposed a DC semantics for a graphical language called Constraint Dia- 
grams. Reference [46] gives, in terms of DC, a formal meaning of fault trees. 
References [37, 78] define a DC semantics for a timed RAISE Specification 
Language and [136, 173] define a DC semantics for Verilog. In [24, 146], a 
DC semantics was given to programmable logic controller (PLC) automata 
and, furthermore, a tool was developed for designing PLC automata from 
DC specifications. 

In [52], DC was used to specify and reason about real-time properties 
of circuits. Reference [128] applied DC to prove the correctness of Fischer’s 
mutual-exclusion protocol. References [17, 20, 25] specified and verified the 
correctness of the biphase mark protocol through DC. Reference [160] ap- 
plied DC to specify and verify the deadline-driven scheduler, and [14, 26] 
presented formal specifications of several well-known real-time schedulers for 
processes with shared resources. In [112], DC was used to specify and verify 
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properties of real-time database systems, and, in [49], DC was used to specify 
and analyze availability properties of security protocols. 



Refinement of DC Specifications 

In [94] , there was a first attempt to define refinement laws for a restricted set 
of formulas of DC toward formulas called DC implement ables^ which describe 
properties such as timed progress and stability. A full exposition of these 
ideas is given in the monograph [124]. In this monograph, there is also a 
study of how to ensure that a set of implement ables is feasible, i.e. that it is 
consistent and extendable in time. Techniques to refine a feasible set of DC 
implementables via a mixed specification and programming language into an 
executable program were developed in [100, 133, 134]. 

References [21, 74, 75, 132] represent work on refining DC formulas into 
automata. References [153, 154]proposed approaches to refining DC speci- 
fications into programs following the paradigms of the Hoare logic and the 
assumption-commitment logic. 

1.3.3 Tools 

Interesting results about the completeness of the calculi for interval modal- 
ities and state durations and about decision procedures and model- checking 
algorithms for DC subsets have been published. 

In [27], the completeness of the interval logic described in Chap. 2 was 
proved for an abstract domain. A similar result was proved in [9] for the 
neighborhood logic described in Chap. 11. The duration calculus described 
in Chap. 3 has been proved to be relatively complete [50]. It can also be 
complete for an abstract domain if we use cj-rules as in [38]. 

Decidable subsets of DC and the complexity of decision algorithms were 
discovered and analyzed in [2, 18, 32, 35, 47, 79, 102, 115, 116, 131, 167]. 
In order to check whether state transition sequences of a subset of timed 
(even hybrid) automata satisfy a linear inequality of the state durations, 
[12, 70, 80, 81, 82, 84, 158, 159, 172] developed algorithms which employ 
techniques from linear and integer programming. 

On the basis of the above results, a proof assistant for DC was developed 
in [93, 140, 144] as an extension of PVS [101], and a decision procedure [167] 
for DC was incorporated into this proof assistant. For example, the soundness 
proof in [50] of the induction rules for DC was checked by this proof assistant. 
Furthermore, several proofs used in case studies were checked in [140] using 
the DC extension of PVS, e.g. the studies of the simple gas burner system 
proposed in [168] and of the railway crossing proposed in [141]. In these 
applications of the proof assistant, errors in the original proofs were spotted. 
In [23] , there is an analysis and comparison of the use of model-checking and 
logical-reasoning techniques. 
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In [142], a tool to check the validity of a subclass of DC was presented. 
Furthermore, [105] developed a tool (DCVALID) to check the validity of a 
subclass of discrete-time higher-order DC. In [150], DCVALID was used to 
verify the correctness of a multimedia communication protocol. In [34], a 
bounded model construction for discrete-time DC was presented, which was 
shown to be NP-complete. 

The proof theory for signed interval logic was developed and investigated 
in [121, 122, 123], and SIL is encoded in the generic theorem prover Isabelle 
[ 111 ]- 

1.4 Book Structure 

Chapter 2 (Interval Logic) develops the syntax, semantics, axioms and rules of 
a first-order interval logic. It is the logical foundation of the axiomatizations 
of DC models presented in this book. This first-order interval logic includes 
chop as its only modality, and it is complete for an abstract time domain. 
An abstract time domain is not necessarily the set of real numbers, but an 
arbitrary set which satisfies certain axioms. 

Chapter 3 (Duration Calculus) presents the calculus for durations for the 
Boolean states. It is based on the interval logic described in Chap. 2, and the 
assumption of finite variability of states. The gas burner example is used in 
this chapter to explain the syntax, semantics, axioms and rules of DC. 

Chapter 4 (Deadline-Driven Scheduler) specifies and verifies the deadline- 
driven scheduling algorithm in DC. This demonstrates an application of DC 
to a rather complicated software system. 

Chapter 5 (Relative Completeness) proves the relative completeness of 
DC with respect to a continuous time domain represented by the set of real 
numbers. By relative completeness, we mean that, in the context of this 
continuous time domain, any valid formula of DC is provable in DC, provided 
any valid formula of interval logic can be taken as a theorem of DC. 

Chapter 6 and 7 (Decidability and Undecidability) describe decidable and 
undecidable subsets of DC formulas in discrete and continuous time domains. 
The decidability of a subset of DC is proved by reducing the validity of a 
formula in the subset to the decidable emptiness problem of regular languages. 
The undecidability of a subset of DC is obtained by reducing the undecidable 
halting problem for two-counter machines to satisfiability of formulas in the 
subset. 

Chapter 8 (Model Checking: Linear Duration Invariants) presents an al- 
gorithm to decide whether an implementation of a real-time system satisfies 
a requirement written in DC as a finite number of linear inequalities of state 
durations, where the implementation is taken to be a real-time automaton 
having an upper time bound and a lower time bound for each transition. 
The satisfaction problem is reduced by the algorithm to finitely many simple 
linear programming problems. 
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Chapter 9 (State Transitions and Events) introduces extra atomic formu- 
las and axioms to express and to reason about state transitions and events. 
With this extension, one can refine state-based requirements into state and 
event mixed (or event-based) implementations. In this chapter, an implemen- 
tation as a real-time automaton is verified for the gas burner example against 
the two design decisions. 

Chapter 10 (Superdense State Transitions) treats the synchrony hypothe- 
sis, and introduces the superdense chop modality. With the superdense chop, 
this chapter presents a real-time semantics for an OCCAM-like language. In 
the semantics, it is assumed that assignments and message passings take no 
time. 

Chapter 11 (Neighborhood Logic) introduces the left and right neighbor- 
hood modalities. It proves the adequacy of these two modalities, and applies 
them to specify unbounded liveness and fairness. 

Chapter 12 (Probabilistic Duration Calculus) assumes that an implemen- 
tation of a real-time system is represented by a probabilistic automaton having 
a probability distribution over discrete time for each transition. Axioms and 
rules are developed to calculate and reason about the satisfaction probability 
of a requirement, formalized using DC, for a probabilistic automaton over a 
specified time interval. The gas burner is used as an example to explain the 
notions and techniques involved. 




2. Interval Logic 



In this chapter we give the syntax, semantics and proof system for interval 
logic (IL). This part is based mainly on [27, 28]. Furthermore, we develop 
theorems and rules of IL which are useful when constructing proofs. 



2.1 Syntax 

The formulas of IL are constructed from the following sets of symbols: 

GVar: An infinite set of global variables x,y,z,. . . . These variables are called 
“global” since their meaning is independent of time and time intervals. 

TVar: An infinite set of temporal variables v^v',. . . . The meaning of a tem- 
poral variable is a real- valued interval function. We assume the existence 
of a special temporal variable £ G TVar. The symbol £ stands for the 
interval function which gives the length of the interval as its value. 

FSymb: An infinite set of global function symbols f^,g^, . . . equipped with 
arities n^m > 0. If has arity n = 0 then / is called a constant. The 
meaning of a global function symbol /^, n > 0, is an n-ary function on 
real numbers, which is be independent of time and time intervals. 

RSymb: An infinite set of global relation symbols equipped with ar- 

ities n,m > 0. The meaning of a global relation symbol n > 0, is an 
n-ary truth- valued ({tt,ff}) function on real numbers, which is indepen- 
dent of time and time intervals. The truth constants true and false are 
the only two global relation symbols with arity 0. 

P Letter: An infinite set of temporal propositional letters ... . The mean- 
ing of each temporal propositional letter is a truth- valued interval func- 
tion. 

The set of terms 6^6i £ Term is defined by the following abstract syntax: 
9 ■.\=x\v\ . ..,9n). 

The set of formulas ^ Formula is defined by the following abstract 

syntax: 

(p::=X \ | | 0 V V | \ {^x)ct> , 
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where is a binary modality for “chopping” an interval into two consecutive 
subintervals. We also use and to denote formulas. 

We shall use standard notation for constants, e.g. 0, 1, true and false, and 
for function and relation symbols of real arithmetic, e.g. + and >. 



Abbreviations and Conventions 



The following abbreviations will be used: 

0(j) = true true) reads: “for some subinterval: 0” 

U(f) = -iO(-n0) reads: “for all subintervals: 0” . 

The standard abbreviations from predicate logic will be used, e.g. 

V 

(j) ^ 'Ip = ((-<(/>) V ^p) 

(p ^ 'Ip = {(p => 'Ip) A {ip ^ (p) 

{yx)(p = -i((3x)-i(/)) . 

When - 1 , (3x), (Vx), □ and O occur in formulas they have higher precedence 
than the binary connectives and the modality e.g. 

(□(/>) ^ (((Var)(-.i/’) 

can be written as 



□0 => ((Vx)-!?/^ . 



The following conventions for quantifiers will be used: 



3x > 6.(p 
Vx > e.(P 

VXi , X2 , . . . , Xfi.(p 

3xi,X2, . . -.Xn-Cp 



(3x)(x > 6 A(p) and similarly for >,<,... 
(Vx)(x > 9 ^ (p) and similarly for >,<,... 
(VXi)(Vx2) • • • (VXn)0 
(3xi)(3x2)---(3xn)0. 



2.2 Semantics 

The meanings of terms and formulas are explained in this section. To do so 
we must first define the meaning of global and temporal variables, (global) 
function and relation symbols, and (temporal) propositional letters. 

We are interested only in the functions and relations of real arithmetic. 
Let R stand for the set of real numbers. 




2.2 Semantics 
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We assume that a total function 

is associated with each n-ary function symbol /^, and a total function 
{tt,ff} 

is associated with each n-ary relation symbol G^. 

Function symbols, e.g. -h and — , and relation symbols, e.g. > and =, 
are assumed to have their standard meanings. In particular, tt and ff are 
associated with “true” and “false” , respectively, i.e. true = tt and false = ff. 

The meanings of global variables are given by a value assignment V, which 
is a function associating a real number with each global variable: 

VG GVar-^R. 

Let Val stand for the set of all value assignments: 

Val = GVar-^R. 

Two value assignments V, V' G Val are called x- equivalent if V(^) = V'{y) 
for every global variable y which is different from x. 

Remember that Intv stands for the set of all bounded and closed intervals 
of real numbers: 

Intv = {[b,e] \ b,e e R A b < e} . 

The meanings of temporal variables and propositional letters, i.e. the 
“interval-dependent symbols”, are given by an interpretation: 

/ TVar \ / Intv R 

J e i u ^ u 

\PLetters J ylntv — {tt,ff} 

{ J{v){[b,e]) G M, for all v G TVar, 

J{i){[b,e]) = e — b, and 

J{X){[b,e]) G {tt,ff}, for all X G PLetter. 

Thus, an interpretation J associates a real- valued interval function with each 
temporal variable and a truth-valued interval function with each temporal 
propositional letter. In particular, the special temporal variable i denotes 
the interval length. 

We shall use the following abbreviations: 

= J{v) and = J{X ) . 
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The semantics of a term 6 in an interpretation is a function 
Jl6j G {Val X Intv) -)> M, 
defined inductively on the structure of terms by 

JW(V, [6,e]) =V(ar) 

JH(V, [6,e]) =wj-([^>e]) 

(V,[6,e]) = /"(ci,...,c„), 

where c* = (V, [6, e]), for 1 < i < n. 

The semantics of a formula 4> in an interpretation is a function 

€ {Vo-l X Intv) {tt,ff} , 

defined inductively on the structure of formulas below, where the following 
abbreviations will be used: 

J,V,[h,e]^cj> = Jlcj>l (V,[6,e]) = tt 
J,V,[6,e] (V,[6,e])=ff. 

The definition of is 

1. J,V,[h,e]\=X 
mXj{[h,e]) = tt 

2. J,V,[b,e]\=G^{ei,...,dn) 

iff G"(ci, . . . , c„) = tt, where c* = J\0i\{V, [b, e]) for 1 < i < n 

3. J, V, [6, e] 1 = -•(/> 
iff J,V,[6,e] 

4. J,V,[6,e]t=<^VV’ 

iff J, V, [&, e]\= (j) or J,V, [b, e]\=ip 

5. J,V,[b,e] \= 

iff J, V, [6, m]\= (p and J, V, [m, e]\= rp for some m e [b, e] 

6. J, V, [6,e] )= (3a:)(/) 

■ff V i;' r>. 1 I— /A some value assignment V' \ 

1 J ■, )l )6j F y which is x-equi valent to V ) ' 

A formula (j> is valid, written 



1 = 4 >, 

iff J, V, [&, e]\= (j> for every interpretation J, value assignment V, and interval 
[6, e]. Furthermore, a formula ^p is satisfiable iff J,V,[b,e] |= ip for some 
interpretation J , value assignment V and interval \b,e]. 




2.3 Proof System 
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2.3 Proof System 

The proof system of IL that we adopt here is called 5' in [28]. 

To formulate the axioms and inference rules, we need the standard notions 
of free (global) variables. A term or formula is called flexible if a temporal 
variable including the symbol ^ or a propositional letter occurs in the term 
or formula. A term or formula which is not flexible is called rigid. 

Note that a rigid formula may include the chop modality. For example, 
the formula ((a: > y) ^true) is rigid. 

The axioms of IL are: 

^ > 0 . 

=> 0 if 0 is a rigid formula. 

((/)^'0) => i/j if i/j is a rigid formula. 

{3x.(f)'^'ip) 3x.((/)^'0) if X is not free in 

{(j)^3x.'ip) ^ 3x.{(f)'~^^p) if X is not free in (j). 

{{£ = x) '~'4>) => = x) '"-'((>) . 

{(f)-{e = x)) ^ = x)) . 

(x >0 Ay >0) ^ {{£ = x + y) {{e = x)'~^{i = y))) . 

(<!>-{£ = 0)). 

4>^ {i£ = 0)-4>). 

The inference rules of IL are: 

MP if (f) and (f) ^ then -0 . 

G if 0 then (Vx)0 . 

if 0 then . 

if then -i(^ ^ • 

\i(j) ^ Ip then {(p '"(/?) (V’ ■ 

\{ <p then ((^ '“'(/>) =>• {'p'~'ip) . 

The inference rule MP is called “modus ponens” . The inference rule G is the 
standard generalization rule from first-order logic, and G is called general- 
ization. The inference rule N is called the rule of necessity, and the inference 
rule M is the monotonicity rules for chop. 



AO 

A1 

A2 

R 

E 

LI 

L2 

L3 
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Predicate Logic 

The proof system also contains axioms of first-order predicate logic with 
equality. Any axiomatic basis can be chosen. Special care must, however, 
be taken when universally quantified formulas are instantiated and when an 
existential quantifier is introduced. 

A term 6 is called free for x in (j) if x does not occur freely in (f) within the 
scope of 3y or \/y, where y is any variable occurring in 0. 

Furthermore, a formula is called chop free if does not occur in the 
formula. 

We first illustrate by simple examples why side-conditions are needed in 
the axiom schemas for the quantifiers. 

For example, the term y is free for x in (3z){z > x), whereas y is not 
free for x in {3y){y > x). These two formulas are both valid. Instantiation 
of X with y in the first formula yields (3z){z > y), which is a valid formula. 
However, instantiation of x with y in the second formula yields {3y){y > y), 
which is not valid. 

Furthermore, consider the following universally quantified and valid for- 
mula: 

{\/x){{{£ = x) = x)) {i = 2x )) . 

This formula is not chop free and instantiating it with the term which is 
flexible, yields the formula 

which is not valid. 

Therefore, side-conditions occur in the following two axiom schemas: 



Q1 Vx.0(x) => (j){0) / if ^ is free for x in 0(x), and \ 

Q2 m => 3x.(f){x) y either 6 is rigid or 0(x) is chop free.y 

The proof system has to contain axioms of a first-order logic for the value 
and time domain of IL, namely a first-order logic of real arithmetic. In this 
book, we shall avoid the issue of formalization of real arithmetic, but apply 
informal understanding of it in proofs. 



Proof and Deduction 

Formally, a proof of 0 is a finite sequence of formulas (/>i • • • where (j)n is 
(/!), and each (j)i is either an instance of one of the above axiom schemas or 
obtained by applying one of the above inference rules to previous members 




2.3 Proof System 
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of the sequence. We write 

to denote that there exists a proof of (f) in IL, and we call 4> a theorem of IL 
in this case. 

A deduction of (j) in IL from a set of formulas T is a sequence of formulas 
01 • • • where 0n is 0, and each 0j is either a member of jT, an instance 
of one of the above axiom schemas or obtained by applying one of the above 
inference rules to previous members of the sequence. We write 

rh0 

to denote that there exists a deduction of 0 from T in IL, and we write 

r,0h0 

for {r U {0}) h 0. 

The following theorem about the soundness of the IL proof system is an 
example of a metatheorem which expresses a property of IL. 

Theorem 2.1 (Soundness) 
h 0 implies \= 0 . 

Proof It in not difficult to show that each axiom is a valid formula, and that 
each rule preserves validity in the sense that it gives a valid formula when 
applied to valid formulas. □ 

Theorems and derived rules of IL will be denoted ILl, IL2, . . . , to distin- 
guish them from the metatheorems. Henceforth, in proofs of IL theorems and 
metatheorems, we shall use “PL” when we refer to predicate-logic theorems 
or real- arithmetic theorems. 

The logic IL is an extension of the modal logic S4 (e.g. [66]) since the 
following three theorems and one derived rule can be proved in IL (remember 
that D0 is an abbreviation of -iO-i0 and that O0 is an abbreviation of 
(true ^(0 '“'true)): 

ILl n(0=^0) (D0=^ n0). 

IL2 D0=^0. 

IL3 □0<t^nn0. 

IL4 0hD0. 
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We give proofs of ILl and IL4 only. 



Proof. A proof of ILl: 



1. (-i(true"^ ^ true)) A (true true))) 



=> (true^((-i'0^true) A -i(-i0"^true))) Al 

2 . ((-i^"^true) A -1 (- 10 true)) 

=> ((“>0 A ^true) Al 

3. (-'(true"^(-i0^true)) A (true "^(-i0 true))) 

(true ^((0 A - 10 ) ""true)) l.,2.,M, PL 

4. (□0A^D0) ^ ^D( 0 =^ 0 ) 3.,Def(D) 

5. D(0 0) ^ (D0 ^ D0) 4., PL. 



Proof. A proof of IL4: 



□ 



1. 0 assumption 

2. -i(-i0""true) l.,N 

3. -i(true ""-i(-i(-i0 ^true))) 2.,N 

4. (-i0^true) => -i(-i(-'0""true)) PL 

5. (true^(-i0^true)) => (true ^-i(-i(->0 ^ true))) 4.,M 

6. -<(true^-i(-i(-.0^true))) => -i(true""(-i0^true)) 5., PL 

7. -i(true^(-i0""true)) 3.,6.,MP. 



□ 

The following theorems and derived rule about □ will be used later in the 
proof of the deduction theorem: 



IL5 



□ 0 => -i(-i0^0) . 

□ 0 ^ ->(0 '^“’ 0 ) . 



IL6 D0 0 h D0 D0 . 



a{(f) =^> y>) => ■ 



Proof. The two parts of IL5 are similar, so we consider only the first. We 
prove (-10^0) => -'□0, i.e. (-i0""0) ^ (true ^(->0^ true)), to prove IL5: 



1. 0 => true PL 

2. (-10^0) ^ (-10 ""true) l.,M 

3. £ = 0 true PL 

4. {i = O^(-<0^0)) => (true^(-i0^0)) 3.,M 

5. (true ^(-10^0)) => (true ^(-10 ""true)) 2.,M 

6. {i = O^(-i0^0)) (true (-10^ true)) 4., 5., PL 

7. (-10^0) (£ = O""(-i0^0)) L3 

8. (-10 ""0) (true ""(-10^ true)) 7., 6., PL. 
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The following is a proof of IL6: 



1 . D(f) => -0 

2 . □(□0 0 ) 

3. □(□0 ^ 0) 

4. 000 => D0 

5. D0 => 000 

6. D0 => Q0 



assumption 

1.. 1,4 

(□□0 ^ D0) ILl 

2.. 3.,MP 
IL3 

5.. 4., PL. 



The proof of IL7 is left for the reader. 



□ 



2.3.1 Deduction 

In order to simplify proofs, we establish a deduction theorem for IL here. 
Theorem 2.2 (Deduction) If a deduction 

involves no application of the generalization rule G in which the quantified 
variable is free in 0 , then 

r h D0 0. 

Proof. The proof is by induction on the length n of the deduction T, 0 h 0. 

Base step: n = 1. Then 0 must be either 0, a member of P or an axiom. 

Case where 0 is 0: This case is simple, since h n0 0 by IL2 and thus, 
trivially, T h D0 => 0. 

Case where 0 is an axiom or a member of P: In this case the following 
deduction establishes T h D0 0: 

1 . 0 

2. 0 => (n0 0) PL 

3. D0=:>0 l.,2.,MP. 

Inductive step: Suppose n > 0. The induction hypothesis is: If T, 0 h (/?, by a 
deduction of length shorter than n which does not contain an application of 
the generalization rule G in which the quantified variable is free in 0, then 
P h D0 (f. 

The case where 0 is either 0, a member of P or an axiom is as above. 
Otherwise, an inference rule is applied in the last step in the deduction: 
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Case MP: The deduction from P U {(j)} has the form 



i/^i 

'01 ^ 

0 . 

There are deductions of D0 => 0i and D0 (0i 0) from T, by the 

induction hypothesis. A deduction of D0 => 0 from P can be given as follows: 



• > deduction of D0 => 0i from P 

k. D0 => 01 J 

) deduction of D0 => (0i => 0) from P 

I + 1. (D0 ^ (01 0)) => ((00 => 0l) => (n0 => 0)) PL 

I + 2. (D0 =4^ 0i) => (D0 0) / + 1., MP 

/ + 3. 00=^0 fc.,/ + 2.,MP. 

Case G: 0 has the form (Va;)0i, and the deduction from ru{0} has the form 



01 



(Va:)0i . 

Note that x does not occur freely in 0 and hence in n0. Thus, we have, from 
PL, 



1- (Vx)(D0 0i) => (00 ^ (Vx)0i) . 

By the induction hypothesis, there is a deduction of D0 => 0i from P. A 
deduction of D0 => (Vx)0i from P can be given as follows: 



• > deduction of D0 0i from P 

k. D0 ^ 01 J 

k + 1. (Va:)(n0=^0i) fc.,G 

A: + 2. (Vx)(D0^0i) ^ (□0-^(Vx)0i) PL 

fc + 3. D0 (Va:)0i A: + 1., fc + 2., MP. 
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Case N: We give only a proof of the first rule of N. The second rule can be 
proved similarly. Let ij) have the form —'{—''ipi and the deduction from 
r U {0} have the form 



'01 



-'(-'01 • 

By the induction hypothesis, there is a deduction of D0 => 0i from F. A 
deduction of D0 ->(-'0i from F can be given as follows: 



• > deduction of D0 0i from F 

k. D0 01 J 

A: + l. □0=^D0i A:.,IL6 

k -\-2. n0i => -'(“101 IL5 

A: + 3. D0 ^ -i(-n0i k-\-l.,k + 2., PL. 



Case M: We give only a proof of the first rule of M. The second rule can be 
proved similarly. Let 0 have the form (0i (02 and the deduction 

from F U {(f)} have the form 



01 => 02 



(V’l ii’2 ■ 

By the induction hypothesis, there is a deduction of dcj) => {ipi => ip 2 ) from F. 
A deduction of □</> ^ (V ’2 from T can be given as follows: 



• > deduction of (t/^i V’ 2 ) from 

fc. => (V’l V’2) J 

fc + 1. ^<f) => □(t/’i ^ V’ 2 ) IL6 

fc + 2 . □(V’l => V’2) ({^1 (V’2 ^</’)) IL 7 

A: + 3. □</> =?► ((V’l ^ (V ’2 A; + 1., fc + 2., PL. 

This ends the proof of the deduction theorem. □ 

Proofs can sometimes be obtained more easily by using the deduction 
theorem. We can, for example, prove 

IL8 □(V> =» V’) ^ °(°<V aV’) 

from a deduction of □(□V> ^ □V’) from {{(j) =► V’)} using Theorem 2.2: 
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1 . 0 ^ ^ 

2. □(0^^) l.,IL4 

3. 2.,IL1,MP 

4. □(□(/) =^□'0) 3.,IL4. 



Remark. Although we shall avoid the issue of formalizing real arithmetic, it is 
still interesting to mention a result in [28], where it is proved that, given any 
first-order logic for the value and time domain of IL which includes at least 
axioms for defining totally ordered commutative groups, the proof system is 
complete with respect to abstract domains of the given logic. □ 



2.4 Theorems 



In this section, we shall present a collection of theorems and derived rules of 
IL which can help one to understand the logic and to conduct proofs. Some 
of the theorems are proved. Others are left as exercises. 

Sometimes we shall use the following convention for presenting a proof: 



01 

=> 02 
03 



1 . 01 02 

is an abbreviation for 2. (0i A 02) 03 

3. 01 => 03 



and 



01 

^ 02 
03 



1 . 01 02 

is an abbreviation for 2. 02 ^ 03 

3. 01 03 . 



This generalizes to longer chains: 0i =>•••=> 0^ and 0i 0^. 



Quantifications 

Some of the theorems and rules about quantification which will be used later 
are 



Vx.(0 => 0) => (3x.(j) => 0) 1 

Vx.(0 0) (0 Vx.0) > if X does not occur free in 0. 

(0^0),3x.0h0 J 



Predicate Logic and Temporal Variables 

Throughout the book we shall introduce length, and other temporal variables, 
into “pure” theorems of predicate logic. For example 

\/x3y.{x = y) 
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is a “pure” theorem of predicate logic. This formula is chop free and the term 
i is free iov x \n 3y .{x = y) . Hence, by Ql, the following formula is a theorem 
of IL: 

= y) . 

Many other theorems can be proved in a similar way, e.g. 

> 2 /) > 0.{£ = y + z) . 

In the following, we shall simply refer to PL when we introduce theorems 
such as the two above. 



Rigid Formulas 

Using the axiom schema R, one can derive many useful theorems for rigid 
formulas. For example 

IL9 (j) <=> 0(j) if (/) is a rigid formula. 

\/x.{(j) ^ ^'0)) b ^ if (p is a rigid formula. 

Vx.(0 h Vx.(0 => if ^ is a rigid formula. 

The proofs are left as exercises. 



Existence of Length 



ILll (^ = x) => (/) h 0 if X is not free in cj). 
Proof. 



1. (£ = x) ^ (I) 

2. Vx.((£ = x) (j)) 

3. Wx.l(£ = x) (j)) 

4. 3x.{£ — x) ^ 4) 

5. 3x.{£ — x) 

6 . (j) 



assumption 

1., G 

(3x.{£ = x) (f)) PL (x not free in 0) 

2.. 3.,MP 
PL 

4.. 5.,MP. 



□ 



Existential Quantification and Chop 
IL12 3x.{(/)^'ip) => (3x.(t)^3x.il )) . 
Proof. 



(j) ^ 3x.(l) 






PL 








PL 




m 

( 

m 


.tp) 


l.,2,M 


Va:.((0^0) 


=> (3x.(l)' 


m 

( 


3.,G 




{3x.(j)^ 




4., PL. 
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Chop and False 



{ij) ^ false) ^ false . 
(false ^-0) ^ false. 



Proof. The direction => follows from R, since false is a rigid formula. The 
other direction follows from PL. □ 



Chop and Disjunction 
IL14 

(f)) ^ {{(f)'^'4})\j {4>-^ip)) . 

Proof. The directions follow straightforwardly from M. We prove the other 
direction of the first theorem by the method of reductio ad absurdum: 



((0V0)^(/?) A -i((0^(/?) V 
((0 V 0) A -i(0""(^) A -|(0^(/?) PL 
=> ((0 V 0) A ->0 A -«0) Al 

false ^ if PL, M 

false IL13. 



□ 



Chop and Negation 

{(£ = X A 0) ^0) => = X A -10) . 

IL X S 

{(f)^{£ = X Aif)) => = a: A -10)) . 

(i > X A ->(£ = x^-^cf))) ^ {£ = x^(f)). 

IL16 

{£ > X A -^{->(t)^£ = x)) {(f)^£ = x). 

Proof. We prove only the direction => of the first theorem of IL16. 



{£>x) A -i((^ = x) ""-10) 

^ i^y > 0.{£ = X + 2 /)) A -^{{£ = x) ^-0) PL 
^ {{£ = x)-3y>0.{£ = y)) A -^{{£ = x) ^ -^(/)) L2, IL12, M, PL 
=> ((£ = x) ^true) A ~^((£ = x) ^->0) PL, M 

(£ = x) "^(true A -<->(/>) Al 

^ (^ = x)^0 PL,M. 



□ 
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and Conjunction 

(a ((J a f = x) -1^2^ ^ A </>2 A ^ = X) A 1A2)) . 

(a (^i -(1^2 A £ = x)0 ^ ^ '^ 2 ) -(V’l A V -2 A £ = x)) . 

Proo/. The proof of IL17 is quite tedious. We sketch here a proof of the ^ 
part of the first theorem, and leave the rest for readers. This proof involves 
two lemmas. The first lemma is 

{{{1 = ^{{^ = x )'" 4 > 2 )) ^ ((£ = x)'^(V’l AV’ 2 ))- 

By LI, L2 and IL14, we can derive 

(((£ = x) ^V’l) A ((^ = x) '^V’2)) ^ ((^ > a;) A ->((£ = x) '"-•(V’l A V>2))) • 

Hence, from IL16, we can obtain the first lemma. The second lemma is 

((((^ = x) A (f)i) ^true) A (((-£ — x) f\ (^> 2 ) '^true)) 

=> (((£ = x) A 01 A 02) "^true) . 

The proof is similar to that of the first lemma but through ILll. By assuming 
y to be the length of the interval concerned, from L2 we can conclude that 
the length of the second subinterval is {y - x). Therefore, we can follow the 
proof of the first lemma to prove 

{{(j)i'~'{^ = y-x)) ^{(j)2'~'{t = y-x))) ^ {{(j>i \(j)2)'^{i = y -x)) 

and hence the lemma. On the basis of the above lemmas, we can conclude 
the theorem through 



((01 A 02 A (£ = x)) ^true) A ^((0i A 02 A (^ = ^)) ^(0i A 02)) 



(^1 A (/>2 A (£ = x)) A V’ 2 ) 


A1 


{£ = x) A •02) 


M 


^{{£ = x) ^(01 A 02)) 


LI. 




□ 



Chop 

IL17 



Chop and Point 



IL18 



( 0 ^^ = 0 ) <^ 0 . 
{£ = 0 ^ 0 ) 0 . 



Proof. The direction 4= follows from L3. The other direction is proved as 
follows: 



{(j)^£ = 0) A -<0 
(0'-'^ = 0) A(-0^^ = 0) L3 

(0 A -10) = 0 IL17 

=> false = 0 M 

false IL13. 



□ 
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Chop and Box 

IL19 ^ 

(acj) A (V’ '"(f)) ^ (V’ "'(</> A ifi)) . 

Proof. The following is a proof of (□(/> A (i/j => ((</> A ip) 

1. (□(/> A {'ip ^(p)) (-i(-i(p'^(p) A (ip '^(p)) IL5, PL 

2. (~i(^(p^(p) A I'lp ^(p)) ^ {{~'~'(p A ' 0 ) A1 

3. (D0 A (0 ^ ((“'“'0 A 0) 1., 2., PL 

4. ((-'-'0 A 0) => ((0 A 0) ""(/?) M 

5. (00 A (0 '-(/.)) ^ ((0 A 0) 3., 4., PL. 

The other proof is similar. □ 



Chop and Length 

((^ >0)^(^>0)) (i>0). 

IL20 {{i>0)-{i>0)) (^>0). 

((^ > 0 )^(^> 0 )) (£> 0 ). 

Proof. We first give a proof of {{i > 0) > 0)) ^ > 0: 



1. (£>0)^(£>0) 

=> 3x>0.{i = x)-3y>0.{£:=:y) PL,M 

^ 3x > 0.3y > 0.{{£ = x)'^{£ = y)) E 

2. (:r >0A?/>0A((^ = a:)'^(^ = ^)))^ (^>0) PL,L2 

3. ((^>0)^(^>0)) ^ (^>0) l.,2.,PL. 

The following is a proof of (^ > 0) ^ ((£ > 0) > 0)): 

£>0 

^ 3x > 0.{£ = x) PL 

3x > 0.{£ = x/2 -f x/2) PL 

^ 3a: > 0.((^ = x/2) -{£ = x/2)) PL, L2 

^ (3a: > 0.(£ = x/2)) -{3x > 0.{£ = x/2)) IL12 
=> (^>0)^(£>0) PL,M. 

The other proofs are similar. □ 



Box and Length 

The following theorem illustrates that the □ modality can be expressed in 
terms of length and chop without using negation. The theorem can be proved 
using techniques similar to those used above in the proof of IL20. 

□0 ^x,y > 0.(a: 3- y < £) ^ {{£ = x) ""0^(£ = y)) 
provided x,y do not occur free in 0. 



IL21 




Box and Conjunction 
IL22 n{(j) A (□(/> A D^) . 
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Box and Disjunction 

IL23 {0(1) V Oil;) ^ 0{(f) V ip) . 



Prefix Intervals 



It is often convenient to specify properties of prefix intervals^ i.e. intervals 
starting a given interval. For example, in Chap. 4, to formulate the deadline- 
driven scheduler, we specify the behavior of the processes on intervals starting 
at time 0. 

Below we give some definitions and theorems for the properties of prefix 
intervals: 

Op(j) = (p^tiue reads: “for some prefix interval: 0” . 

Opip = -iOp-iip reads: “for all prefix intervals: 



IL24 OcP^OpcI). 



IL25 



□0 ^ OpO(j ) . 
□0 OOp(f) . 



Many properties of Op resembles properties of □, e.g. 
IL26 Op{(j) '0) => {Op(f) => Opip ) . 

IL27 Op(P=^(p. 

IL28 Op(p ^ OpOp(p . 

IL29 0 h Op(p. 

IL30 (Op(P) ^\/x> 0.((x <i) ^ {(p-{i = x ))) . 
IL31 Op(p ^ -^{-^(p^ip) , 

IL32 Op(p =^0 1- Op(p => Opjp . 

IL33 Op{(p ^ (p) ((0^0) • 

IL34 0 Dp0 if 0 is a rigid formula. 

IL35 {Op(p A {^^^)) ^ {{(p Aip)^ip) . 

IL36 Op{(p A ^p) {Op(p A Op'ip) . 

IL37 (□p0VDp0) ^ □p(0V0). 

The proofs are left as exercises. 
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In this chapter we present the syntax, semantics and proof system of duration 
calculus. In addition, we present some theorems and rules of DC which are 
useful when conducting proofs. 



3.1 Syntax 

We establish DC as an extension of IL in the sense that temporal variables 
V e TVar other than £ have a structure 



fs, 

where JS is called a state duration and S is called a state expression. 

The set of state expressions is generated from a set SVar of state variables 
P,Q,R, . . . , according to the following abstract syntax: 

5 0 I 1 I P I -Si I 5i V 52 . 

We shall use the same abbreviations for propositional connectives in state 
expressions as those used in Chap. 2 in IL formulas. 

Remark. The propositional connectives — and V occur both in state expres- 
sions and in formulas but, as we shall see below, with different semantics. 
This does not cause problems, as state expressions always occur in the con- 
text of f. 

□ 



3.2 Semantics 

When we generate temporal variables from state variables, the semantics 
of the temporal variables must be derived from the semantics of the state 
variables. The semantics of a state variable is a function from time to Boolean 
values {0,1}, where the function is integrable in every time interval. 
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Remember that we use real numbers to model time: 

Time = M. 

An interpretation for state variables, the symbol i and propositional letters 
is a function 

/ SVar \ /Time -^{0,1} 

U U 

X : {£} Intv R 

U U 

\^P Letters ) ^ Intv -> {tt,ff} 

where 

• X{P) : Time {OA}? for every state variable F; furthermore, X{P) has 
at most a finite number of discontinuity points in every interval; 

• X{t) : Intv -> E and X(/)[&, e]—e — h] and 

• X[X) : Intv — > {tt,ff}, for every propositional letter X. 

Thus, each function X{P) has the property of finite variability, and, hence, 
X{P) is integrable in every interval. 

The semantics of a state expression 5, given an interpretation X, is a 
function 




I{Sj : Time ^{0,1}, 

defined inductively on the structure of state expressions by 



imit) = 0 

2:111 (i) = 1 

IlPjit) = I(P){t) 

2:[(-5)](t) =1-Z[51(i) 



J[(5iV 52)1(0 = 



0 if II5il(0 = 0 and Z|52l(0 = 0 

1 otherwise 



We shall use the abbreviation Sx = 

We see from this semantics that each function Sx has at most a finite 
number of discontinuity points in any interval and is thus integrable in every 
interval. 

The semantics of temporal variables, which now have the form fS and are 
called state durations, is given by a function 

J|/5] : Intv-^E, 
defined by 

IlJSj[b,e] = J,^Sx{t)dt. 
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This function can be used to induce an interpretation Jx for temporal 
variables and propositional letters from X: 

Jx{X) = X(X) , for every propositional letter X, 

JxiJS) = X[/S'J , for every state expression S', 

jx{e) =x{i). 

The semantics of a duration calculus formula 0, given an interpretation 
1 to state variables, is a function 

X{(I>1 : {Val X Intv) — {tt,ff} , 
for which we use the abbreviations 

I,V,[b,e]\=4> = im{V,[b,e])=ii 

I,V,[b,e]^cf> = Il(giV,[b,e]) = S. 

We can define the semantics of DC formulas in terms of the semantics of 
IL formulas, using the interpretation Jx induced from an interpretation X. 

The semantics of a DC formula 0, for an arbitrary interpretation X, value 
assignment V and interval [6, e], is defined by 

X,V,[&,e] ^0iffXx,V,[6,e] in IL. 

Remark. For two given interpretations X and X' whose values for any state 
variable P disagree in at most a finite number of points in any interval we 
have 

I{jP\[b,e] = njPUb,e], 
for any [&, e] . 

No DC formula can distinguish between X and X', since state expressions 
occur only within the context of f. We can therefore define X and X' to be 
equivalent, and build equivalence classes of interpretations if necessary. □ 

The notions of satisfiability and validity of DC formulas are defined as for 
IL formulas. 

In fact, the definitions of satisfiability and validity for DC formulas can 
be simplified as shown in Theorem 3.1 below, which gives an alternative 
characterization of validity and satisfiability using only pre/ix intervals, which 
are intervals of the form [0, e], for nonnegative real numbers e. 

The theorem is easy to prove using the following definition and lemma. 

For a given formula 0, interval [6, e] and interpretation X, let Xt be an 
interpretation such that for any P occurring in (j) and t G [0, e — 6], 



PjAt) = Pi{b + t). 
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We have the following lemma. 

Lemma 3.1 

I,V,[b,e]\=4, iff I,,V,[0,e-b]\=<t>. 

Proof. A proof can be given by showing 
J[/P1 [c,d\ = Z(,[/P] [c-b,d-b], 
for any [c,d\ C [6, e]. This follows since 
Pi{t + b) = Pxdt). 

for any t E [c — b,d — b]. □ 

We can then easily prove the following theorem. 

Theorem 3.1 

1. A formula (j) of DC is valid iffX, V, [0, e]\= (j) for every interpretation X, 
value assignment V and nonnegative real number e. 

2. A formula (j) of DC is satisfiable iffX, V, [0, e]\= (j) for some interpretation 
X, value assignment V and nonnegative real number e. 

The following abbreviations will be used frequently: 

n = i = o 

[51 = fs = £ A £>0. 

The formula [51 holds in an interval [6, e] iff 6 < e and 5 is 1 (almost) 
everywhere in [6, e]. In fact, because of the finite variability of 5, S can be 0 
at at most a finite number of time points in [6, e]. 

Gas Burner 

The requirement of the gas burner can be formalized in DC by 
GbReq = £> 60 20jLeak<£, 
and the two design decisions can be formalized in DC by 
Desi = □([Leakl £ < 1) 



and 



Des 2 = □(([Leakl ^ [“'Leakl [Leakl) £ > 30) . 



□ 




3.3 Proof System 
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3.3 Proof System 

Since DC is an extension of IL, we adopt all axioms and inference rules of IL 
given in the previous chapter as axioms and inference rules for DC. We add 
axioms reflecting the structure which DC adds to temporal variables: 

DCAl /0 = 0. 

DCA2 fl = £. 

DCA3 fS>0. 

DCA4 fSi + fS2 = f(Si V S 2 ) + f(Si A 52 ) . 

DCA5 ((fS = x)^(fS = y)) ^ (fS = x + y) . 

DCA6 fSi = fS 2 , provided Si S 2 holds in propositional logic. 

In order to formalize the finite variability of state expressions, we add two 
induction rules. 

Let H{X) be a formula containing the propositional letter X and let 
5i , 52 , . . . , *Sn be any finite collection of state expressions which is complete 
in the sense that 

n 

i\J Si) ^ 1. 

i=l 

For a complete collection of state expressions 5i , 52, . . . , 5n, there are two 
induction rules: 

IRl If H(U) and H{X)^H{Xsj V”=i(^^r5il)) 
then iJ(true) 

and 

IR2 If R( n ) and H{X) ^ H{X V \Jti ( fSil ^X)) 
then H (true) . 

In these rules i?(0) denotes the formula obtained from H{X) by replacing 
every occurrence of X in iJ with 0. 

i7(|[]l) is called the base case, H{X) is called the induction hypothesis 
and X is called the induction letter. 

Remark. 

1. The soundness of these two induction rules relies on the finite- variability 
property of functions Sj (see below). Furthermore, in the proof of relative 
completeness (Lemma 5.2), we shall see that the induction rules have a 
major role in the formalization of the finite-variability property. 
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2. Although we have presented the induction rules above in their most gen- 
eral form, we shall often use them by choosing a state expression 5 and 
its negation as the complete state set, and choosing U(X => (j)) as 
H(X), where X does not occur in 0. 

3. In the following proofs of the soundness theorem and deduction theorems, 

we shall deal only with the induction rules where a state expression and 
its negation -i5 are taken as the complete set of states. For the general 
case, the proofs can be derived similarly. □ 

A proof of 0 in DC is a finite sequence of formulas where (j)n is 

0, and each (f)i is either an instance of one of the above axiom schemas or an 
axiom schema of DC, or obtained by applying one of the induction rules or 
the inference rules of DC to previous members of the sequence. We write h cj) 
to denote that there exists a proof of (j) in DC, and we call (f) a theorem of 
DC. 

A deduction in DC is defined similarly to a deduction in IL, and we write 
r \- (j) to denote that there exists a deduction of in DC from where (j) is 
a DC formula and is a set of DC formulas. 

3.3.1 Soundness 

We want to establish the soundness of the proof system. The following defi- 
nitions and lemmas are convenient for this purpose. 

Definition (Equivalence) Given an interval [6, e] and an interpretation X, 
we call two formulas 0 and 'ip equivalent in [&, e] of X if 

J,V, [c,cq 

for any value assignment V and any interval [c, d] where [c, d] C [6, e]. 

Definition (Finite alternation) Given a state expression S, the formula 
FA^{S), for i >0, describes fewer than i alternations of S: 

FA^iS) = n 

FA^+\S) = FA\S)V{IS'l-FA\S))V{l^S}-FA\S)). 



Lemma 3.2 For a given state expression S, interval [6, e] and interpretation 
X, there is a natural number k such that 

true and FA^{S) 

are equivalent in [&, e] of X. 

Proof. This follows since Sj has at most a finite number of alternations in 
[6, e], and this number can be taken as k, which is an upper bound on the 
alternation numbers of Sj in any subinterval of [&, e]. □ 
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Lemma 3.3 Let <^{X) he a formula in which the propositional letter X may 
occur, let [b, e] be an interval and let X be an interpretation. Then for any 
two formulas (f)i and (f> 2 , 

If (j)i and (f )2 are equivalent in [b, e] of X 

then ^p{(t)i) and o.re equivalent in [b,e] ofX. 

Proof. By structural induction on (p{X). □ 

Lemma 3.4 

\= (l){X) implies \= (t){'if) , 

provided 'ip is free for X in (j){X), i.e. X does not occur in (p{X) within a 
scope of3x or\/x, where x is a free variable ofip. 

Proof. We can apply induction on the structure of (f){X) to prove that given 



I,V,[c,d\\= (j){ip) iff I',V,[c,d\\= (f){X) , 
for any V and [c, d\ C [b, e], where X' is defined so that 

r{x)[c,d\=xm{v,[c,d\), 

for any [c, d] C [b, e]. 

The details of the proof will not be presented. □ 

Theorem 3.2 (Soundness) The proof system of DC is sound, i.e. 



h (j) implies |= (p . 

Proof. The proof of soundness is by induction on the structure of proofs, i.e. 
the soundness of each axiom and inference rule of DC must be proved. The 
axioms and inference rules of IL are treated in [28]. The axioms of DC are 
simple and left for the reader. We prove here the soundness of IR2, where S 
and -i5 are used as the complete set of states. The soundness of IRl can be 
proved similarly. 

By the induction hypothesis of the soundness proof, we have 
\=H(U), i-e. (3.1) 



and 



^ H{X) ^ H{X V ([51 -X) V (h51 ^X)) . 
We must establish |= i^(true). 



(3.2) 




48 



3. Duration Calculus 



We first prove 
h H{FA-{S)) , 

for any natural number n, by induction on n. 

The case for n = 0 is established by (3.1). 

Inductive step: From Lemma 3.4 and (3.2), we obtain 
H{FA^{S)) ^ H{FA^^\S )) . 

Combining this with the induction hypothesis |= H{FA^{S)) we obtain 
|=Lf(F4^+^(S')). 

To show 1= iJ(true), we must show that X, V, [6, e] |= H{true) for any inter- 
pretation X, value assignment V and interval [b,e]. But, by Lemma 3.2, there 
is a natural number k such that true and FA^ (S) are equivalent in [b, e] of 
X, and, by Lemma 3.3, we have the result that H{true) and H{FA^{S)) are 
equivalent in [6, e] of X also. 

Thus, from 

I,V,[b,e]\=H{FA'‘{S)), 
we have 

X,V,[&,e] hif(true). 



□ 



3.3.2 Deduction 

In order to simplify proofs in DC, we establish the following deduction theo- 
rem. 

Theorem 3.3 (Deduction) 

X, 0 h -0 implies F h □(/> , 

provided a deduction X, 0 h -0 involves no application of the generalization 
rule G for which the quantified variable is free in (p and every application of 
the induction rules in this deduction satisfies the condition that its induction 
letter does not occur in (p. 

Proof. We must add to the proof of the deduction theorem for IL the cases 
where the induction rules are applied as the last step of the deduction. All 
other cases remain the same. 
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Case IRl: We consider only the simple case where S and -i5 constitute the 
complete state set, i/? has the form iJ(true), and the deduction from F U {(/)} 
has the form 

mi) 

H{X) => H(X V (X- r^l) V (X- r-5D) 
i7(true) . 

By the induction hypothesis there are deductions from F of Ocj) 

and □(/) (H{X) => H{X V (X^[51) V (X^[-i51))). In the following, we 

abbreviate X V (X^|[5]|) V (X^|”-'S']|) to next{X, S): 



• > deduction from F 

k. u4,^H{U)\ 

) deduction from F 

/ + 1. D0 ^ {H{X) ^ H{next{X, S))) 

((□(/) H{X)) => (□(/> ^ H{next{X, S)))) PL 

I -f 2. (□(/) H{X)) ^ (00 ^ H{next{X, S))) I + 1., MP 

I + 3. □(/) => if(true) k., I + 2., IRl. 

Note that we have taken into account the fact that the induction letter X 
does not occur in (j) in the application of IRl with 0(j) H{X) as the induc- 
tion hypothesis. 

Case IR2 is similar to IRl. □ 

The deduction theorem can often be used to simplify a proof. In con- 
nection with the application of the induction rules, the following theorem is 
convenient. 

Theorem 3.4 

r^H{U) and r,H{X)hH{Xy vr=i )) 

implies F h H{true ) , 

where {*Si, 52, . . . , complete, 

provided a deduction F,H{X) h V Vr=i("^^ property 

that every application of the induction rules in this deduction satisfies the 
condition that its induction letter does not occur in H{X). 
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Proof. We consider only the case where {5, is used as the complete set. 
Let 2 / 1 , ^ 2 , • • • 5 2/n be all the variables occurring free in H{X) and let Hc{X) 
denote the formula (V 2 /i)(V 2 / 2 ) • • • (\/yn)H{X). 

Since T h iJ ( [ ] ) and T, if (X) h (X V [5] ) V (X^ [-^5] ) ) , we also 

have r h ife(n) and r,Hc{X) h if,(X V (X^^ [5]) V (X^ (using G 

and Ql). 

In the following deduction, we use the deduction theorem and also the 
abbreviation next{X^ S): 



k. □ifc(X) Hc{next{X,S)) 



deductions from P 



i- -ffc(ri) j 

l + l.UHSJ) 

I + 2. OHciX) ^ aHc{next{X,S)) 
I + 3. Difc (true) 

I + 4. Difc (true) => ifc (true) 

/ + 5. if c (true) 

I + 6. if (true) 



/.,IL4 

A:.,IL6 

/ + 1.,/ + 2.,IR1 
IL2 

I “h 3., I -l- 4., MP 
/ + 5.,PL, 



where the application of IRl uses Dfic(X) as the induction hypothesis. □ 
The following theorem is proved in a similar way: 

Theorem 3.5 

and r,H{X) h H(X V Vr=i(r^il^^)) 
implies P h H{true ) , 
where {Si,S 2 , . • . , Sn} is complete, 

provided a deduction P,H{X) h if(X V VlLiCf^^il^^)) has the property 
that every application of the induction rules in this deduction satisfies the 
condition that its induction letter does not occur in if(X). 

The two induction rules can be used to prove some properties of the finite 
variability of states. The properties DCl and DC2 reject infinite oscillation 
of the state S' at a point. 

DCl f] V(true'^|[51) V(true'^[-.51). 

DC2 |"| V (f5]| '^true) V ^true) . 

Proof. The proof of DCl is easy using Theorem 3.4 with 



H{X) = X => DCl . 
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By PL, we have 
We now establish 

(X^DCl) h (XV(X^1'51) =>DC1 

by establishing the three deductions 

(a) (X ^ DCl) h X ^ DCl 

(b) (X ^ DCl) h (X^[51) DCl 

(c) (X=»DCl)h (X'^f-nSl) DCl. 

The first case, i.e. (a), is trivial. The cases (b) and (c) are similar, so we shall 
establish only one of them. The following constitutes a deduction for case 
(b): 



1. X true PL 

2. (X-r51)=»(true^r51) L,M 

3. (true ^[5]) ^ DCl PL 

4. (X^ [51) ^ DCl 2., 3., PL. 

Having established (a), (b) and (c), we have, by PL, 

(X=>DC1) h (XV(X^[51)V(X^[-5D) ^DCl. 

Thus, we obtain (true DCl) using Theorem 3.4, and then DCl by PL. □ 
Similarly, we can establish that for a complete set of states {5i, 52, . . . , 5n}, 
DCS n vV”=i(true^r5,l) 

DC4 n vvr=i(r^irtrue). 

3.4 Theorems 

In this section we present theorems and derived proof rules which can help one 
to understand the calculus and to conduct proofs. Some proofs are presented, 
while others are left as exercises. 

Theorems About JS 

DCS JS + J^S = £. 

DC6 JS <£. 
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DC7 /5i >/52, if52=>5i. 

Proof. The following is a proof of DCS: 

1. fS + f^S = f(S A -5) + f(S V -nS) DCA4 

2. fS + f-^S = £ l.,DCAl,DCA2,DCA6,PL. 

A proof of DC6 can be derived from DCS by use of (J~<S > 0) (DC A3). In 
the following proof of DC7, we exploit the fact that 5i 44 (S 2 V (-152 A Si)) 
when S 2 =4 5i: 

1. fSi = (fS2 + f(^S2 A 5i) - f(S2 A (-52 A 5i))) DCA6, DCA4 

2. fSi = (JS 2 + J(-52 a 5i)) 1., DCAl, DCA6 

3. /(-52A5i)>0 DC A3 

4. /5i>/52 2., 3., PL. 

□ 



{ifS>x)-{JS>y)) => ifS>x + y). 

i(fS<x)-(fS<y)) => (fS<x + y). 

Proof. We give a proof of the first theorem only. The proof of the second 
theorem is similar. 

(fS>x)-(fS>y) 

^ 3zi > 0.(fS = x + zi) -3 z2 > 0.(fS = y + Z 2 ) PL,M 
=4 3zi,Z2 > 0.((fS = X + zi) '^(fS = 2/4- Z 2 )) E, PL 
=4 3zi , Z 2 > 0.(fS = x + zi +y + Z 2 ) DCAS, PL 

=4 /5 > X + 2 / PL. 

□ 



dc 9 (( e ™ 1 fSi < £)-(EZi JSi < m => (ET=1 JSi < ■ 

Proof. In the proof of this theorem, the following fact about arithmetic will 
be used: 



mm m 

C^Xi<zi ^'^yi<Z2) ^'^{xi-\-yi)<zi+Z2. (3.3) 

i=l i=l i=l 

Having introduced the variables {xi,yi^ zi, Z 2 ) for durations and lengths, 
we can write the main part of the proof as 



fAT=AJSi = xi)\ IKT=ii!Si = yi) 
A(£ = zi) ^ = Z 2 ) 

VET=i!Si<^J VET=ilSi<i 

( Aili = Xi+ yi) h{£ = zi+ Z2) \ 

< ^1 aEIIi?/* < ^2 ) 



AO, L2, DCAS, PL 



^ — Xi + yi) A{£ — zi + Z 2 ) 

VAEI1i(^» + j/i) <Zl+Z2 

^ET=iJSi<i 



PL, (3.3) 
PL. 
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A full proof of the theorem also has to deal with the introduction and 
elimination of variables: 



1- AIli ^Xi.iJSi = Xi)A3zi.{i = zi) 

2- Alli = Vi) A 3z2.{£ = Z 2 ) 

3. (EZifSi<£)-(Er=ifSi<^) 



(Kti 3xUfSi = x,)' 

ABzi.(£ = zi) 

VET=Js,< 



'AT=i^yUfSi = yiy 

a3z2.{£ = Z 2 ) 

.^ET=ifSi<i 



4. 



> * j Vl 7 

'AT=iilSi = xiY 

A{£ = zi) 

^ET=iJSi<A 

' AZiijSi = XiY 
A(i = zx) 

AEti fSi<^ 
ET=rfSi<i 



■ • 5 Vm ? , ^2 . 

'AT=i{!Si = yiY 

A{£ = Z 2 ) 

.AET=ifSi<A 

' NYLiUSi = viY 
A{t = Z 2 ) 

^EZiPi< 



PL 

PL 

E 



proof above 



3 x \ , . . . , Xm 5 2/1 5 • • • ? Vm ^ ^ 2 ' 

( ( AT=i (jSi = a:*) \ / A™ 1 USi = Vi) ■ 

5 . A(£ = ^i) ^ A(£ = Z 2 ) I I 4., PL 

\\AEZJs,<eJ \ay.T=Js,< 

^ET=iJSi<i 

Q■iiET=lfs^<^)^{ET=lISi<m => (ET=Js,<£) 3.,5.,pl. 

The introduction and elimination of variables, as done in the steps 1., 2., 3. 
and 5. above, have an archetypical form. Usually, we shall omit these steps 
in proofs and thereby just focus on the main part. □ 



DCIO 



JS<x^ U{JS<x). 

jS<x^ n{js<x). 



Proof. The 4= part of these theorems follows from IL2. The other direction 
(=^) of the first theorem can be proved by establishing 

fS>x 



-□(/5 < x) 
or, equivalently, 

(true ^ (/S' > x) ^true) 



/^> 



X . 



This formula can be proved using the same technique as in the proof of 
the previous theorem, where we introduce variables for the duration of S on 
the various intervals. The main part of this proof is 
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2 /i>OA 2 / 2 >OA 2 :>OA ((fS = yi)'^(fS = z + x)^{fS = 2 / 2 )) 
^yi>0Ay2>0Az>0A JS = yi + y 2 + z + x 
^ fS>x. 

The second part of DC 10 is proved similarly. □ 

Theorems About 
DCll [01 false. 

Proof. 



m 

^{JO = £)A{e>0) Def(rol) 
^ (0 = ^) A (£ > 0) DCAl 
false PL. 



□ 



DC12 r-51 ^ iJS = 0) . 

Proof. This can be proved by use of DC5. □ 

DC13 (Air/ H5i A (V,>, 5, •))!) ^ (f(Vh Si) = Ell fSi). 

Proof. We present a proof for the case of n = 3. Applying DCA4, we obtain 

f{S, V 52 V Ss) = fS, + f(S2 V Ss) - /(5i A (52 V Ss )) . 

Prom the antecedent [-<(5i A (52 V 53))! and DC12, we can prove 
/(5i V 52 V 53) = J5i + f(S 2 V S 3 ) . 

Applying DCA4 again, we obtain 

f(Si V 52 V 5s) = fSi + fS 2 + fSa - f(S 2 A S 3 ) . 

From the antecedent |’-'(52 A 53)] and DC12, we prove the conclusion. □ 

DC14 lyhSij => iEi=ilSi)>^- 

Proof From DCA4 and DCA3, we derive 

k k 

iz=l i=l 

Hence, by use of the definition of [_1 , we can conclude the theorem. □ 
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DC15 (fS>0) ((/5 = 0)^|[51^true). 

Proof. The direction can easily be proved by use of DCA5. In order to 
prove the other direction, we apply Theorem 3.5. Let 

H{X) = {X => ((/5>0)^((/5 = 0rr‘5rtrue))). 

The proof of J7(|[]|) is easy, since |[]| contradicts {JS > 0). 

We prove 

h (([5rX) ^ (^ = 0)-r^rtrue) 
by use of IL18 and M, and then establish 

h H(isrx) 

by PL. Hence, H{X) h 

To prove H{X) h we establish the following deduction 

from H{X)\ 

1. X^(-(/5>0) V((/5 = 0)^r51^true)) H{X),Vh 

2. (h5r^) 

^ ((/'S' = 0)"'-'(/5 > 0)) 

V((/5 = 0)-((fS = 0)^l[51^true)) l.,IL14,DC12,M 

(fS = 0) V ((fS = 0)^[51^true)) DCA3,DCA5,M,PL 

=» ((/5 > 0) => ((fS = 0)- r^l ^true)) DCA3, PL. 

□ 

a; > 0 A ?/ > 0 

DC16 =» 

((£ = x + 2/)Ar51) ^ (((£ = x)A[Srir((£ = y)AfSW- 

Proof. The direction can easily be proved by use of DCA5 and L2. To prove 
the other direction, using L2 we can chop the interval into (£ = {i = y) . 
Assuming arbitrary values for fS over the two subintervals 

{{£ = x) A iJS = zi))'^{{£ = y)A iJS = Z 2 )) , 

we can apply DCA5 and DC6 to conclude that {zi = x) and {z 2 = y)> 
Therefore we complete the proof. □ 

As a corollary of DC 16, we can establish 

DC17 r5i^(r5i-r5i). 
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DC18 [5il ^ [521 if5i-^52. 

Proof. This can be derived from DC7. □ 

DC19 (r5ilAr52l) r5iA52l. 

Proof. The part is a special case of DC18. The => part can be proved as 
follows: 

fSi=£AfS2 = £A£>0 
^fSi + fS2-f(SiVS2)>£A£>0 PL,DC6 
^ f(Si AS 2 ) =£a£> 0 DCA4,DC6 

=^r5iA52i def. r_i. 

□ 

nr 2 n ((true^[5il) a (true^[S' 2 l)) (true^ |'5i A 52 I) . 

((['S'll^'true) A (fS2l"'true)) ([5i A 52l'"true) . 

Proof. The <= parts can be proved by use of DC 18 and M. The parts 
can be proved by introducing length values of the prefix and suffix intervals, 
respectively. For example, assuming x >y in the following proof, we have 

((£=a:rr5ii)A((^=2/rr-?2i) 

^ ((^ = x)^r^il)A((^ = a:)^r^2l) DC16,M 
^(£ = a:r(rSilAr52l) IL17 

(^ = [ 5 i A 52I M,DC19. 

Then, by introducing and moving quantification of x by use of G and E and 
replacing 3x.i = x by true, we can complete the proof, as we have seen in 
earlier proofs. □ 

Although ([5i V 52 I => (f‘5'il V [521)) is not a theorem, the following 
is still true. 

nr2l (true-^fSi V52l) ^ ({true-^ fSil) V (true'^ l'52l)) . 

([^i V 52l'"true) O ((|[5i]|""true) V ([52l^true)) . 

Proof. We prove the part of the first theorem. 
true^|"5i V 52] 

^ ALi((true^[5'il) V (true^ [-.5*])) {£ > 0),DC1 
^ (true'~'[5il) V (true'"' [ 52 ]) 

V((true^[-'5il) A (true'"'[-.S' 2 l|)) PL 

(true'^[5il) V (true""- [ 52 D DC20,DC11,IL13,PL. 

□ 
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nP22 “'(true^[5'l) ([1 V(tme^[-nS'D). 

-(f^rtrue) 4^ (nv(r-5rtrue)). 

Proof. This can be proved by use of DCl and DC2. For example, 

1. f"| V (true'^fS’l) V (true'^ |’-i5]|) DCl 

2. (|”| A (true^ |[51)) => false IL20,PL 

3. ((true^[51) A(true^[-51)) ^ false DC20, DCll, IL13 

4. -.(true^|[51) 44 ([ ] V (tme^ l.,2.,3.,PL. 



□ 



r>P2<t (true^[51) 44 ([S'! V(true'^[-.51^f5D). 

(r^rtrue) 44 (r5iv(r5rr-5rtrue)). 

Proof. We prove only the first theorem. Let 

H{X) = {X ^ (nv(tme-r-51)vr51V(true-h5rr51))). 

By applying Theorem 3.4, we can prove 

[1 V (true^f-.51) V [5] V (true^f-nSl'^fS]) . 

Furthermore, it can be proved that any two of the above disjunct s are exclu- 
sive to each other. Thus, by use of PL and DC22, we can establish 

(true^[51) 44 ([5] V (true'^[-.5|^|[51)) . 



□ 



DC24 



(true^fS'il) 



r5il V (true^ r-5i A [^iD \ 

(true^r-SiA52l^r5il) ) 



( [5il V (f5ir r--5i A ^52rtrue) \ 
([Sil'^true) 44 V 

V A52l'^true) j 

Proof. We prove only the first part. By DC23, (true^ f5i]|) is equivalent to 
[5il V (true'^|[-.5il^[5il). 

Furthermore, we have 
true^ 

44 true^ [-■5i A {S 2 V -'52)1'^ [5il DCA6 

44 (true""|[-'Si A -'S'2l'"|[5i’|) V (true"^ |f-i5i A 52]l'^f5i1) DC21,M. 



□ 
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DC25 ([51 '^true'^[-.5D ([5] [-^51 "^true) . 

Proof. 



[5] ^true-^f-nSl 

^ ([51 V ([5r r-5rtrue))-[^51 DC23,M 

^ ( [5r r-51 ) V ( [5r r-^l -true- r^51 ) IL14 

^ ([51-h51-(^ = 0))V(r51-h51-true-h51) L3,PL 
[51 -[-51 -true M,PL. 



□ 



Proof. The part can be derived from M, and using DC 23 we can easily 
prove the => part. □ 

/(((□p^)-[5il) A (true-[-.5il-[52l)) \ 

(((Dp./.)- [-5il- [521) A ((Dp,/.)- [521)); ■ 



DC27 



(((□,^)-[5il) A (true- [^5il- [521)) ^ 

^ (((a.^)-[^5il-[52l) A((D.^)-[52l)); • 



A( [5ir (n<^)) A ( [521 - [-5il -true)) \ 
v^(([52r[-5ii-n</.)A([52i-a<^)); • 

Proof. We sketch a proof of the first theorem only. We first introduce interval 
lengths: 

((□p0)-([5il A(£ = x))) A(true-[-i5il-([52l A{e = y))). 

When X > y, the above formula implies (true^false^(^ = y)), as can be 
shown by applying IL17, DC20 and DCll. This is equivalent to false by 
IL13. 

When X <y,hy DC16 and IL17 the formula implies 
ii°p4>) A (true-[-.5il-([l V [52l)))-([52l A {l = x)). 

By IL28, IL35 and DC 16, the above formula implies 

(□p^A (true-[-.5il))-[52l . 



Then, by use of IL35 and M, we can complete the proof. 



□ 
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/ n \ 

V (true |[-i5i A -i52l) 

V r^ii 

V (true'^f-'Si A -152! '^[ 5 i]|) 

V (true'^|[-i5i A ^ 2 ! 

\V (true^iS2l) J 

DC28 

/ n \ 

V ([-'5i A -i52l ^true) 

V r^ii 

V A -1521 ^true) 

V A 52 ! '^true) 

\V ([521 '^true) J 

Proof. We prove only the first disjunction. By DCl, 

[] V (true'"[5i V 52 I) V (true"- [-.(5i V 52)1) ■ 

By DC21, we have 

(true^|[5i V 52 ]) ^ ((true"^ [5iD V (true^[52l)) . 

By DC24, 

true"" [5il 

^ (^5'll V (true^f-151 A ->52l'"[5il) V (true"" |[-i5i A 52l'"[5iD) . 
The first disjunction follows easily from the above properties. □ 

With the induction rules, we can prove the reversal of DCA5. 

DC29 Vx, y > 0.((fS = x + y) ^ ((fS = x)^ (fS = y))) . 

Proof. Let 

H{X) = {X ^ DC29) 
and apply Theorem 3.4. When deriving 
DC29 

from {X => DC29), we can introduce z as the value of JS over the interval 
where X holds, and conclude by use of the induction hypothesis and M that 

(X-r^l) 3^.(DC29A(/5 = z))-((/5 = £)A(^>0)). 




60 



3. Duration Calculus 



Then, we can prove 

(x-r^i) 

(((xi > 0 A yi > 0) A (/5 = Xi + yi)) ^ ((fS = xi)^(/5 = j/i))) 

by analysis of the cases: xi < z and xi > z. When xi < z, we can find the 
chopping point by using the induction hypothesis within the first subinterval 
where X holds. When xi > z, the chopping point can be decided using DC 16 
in the second subinterval where |f5]| holds. Similarly, we can prove 

=> DC29, 

where x\ < z will be the only possible case. □ 

With DC29, we can establish the reversal of DCS and then the general- 
ization of DC 15. 

DC30 ((a: > 0 A ^ > 0) A (/5 >x-\-y)) ^ ((fS > x)^(fS > y )) . 
DC31 ((x > 0) A (fS > x)) 4^ (( JS = IfSIl^true) . 

3.5 Example: Gas Burner 

In this section, we prove the correctness of the design decisions for the gas 
burner. Using the same abbreviations as in Sect. 3.2, 

Desi = □(I’Leak'll ^ < 1) 

Des 2 = □((I’Leakl ^[-iLeakH ""[Leakl) -^ > 30) 

GbReq = ^ > 60 => 20 /Leak < £ , 

we must give a proof of 

{Desi A Des 2 ) => GbReq . 

We first give an informal argument to introduce the main steps of the 
proof. Thereafter, a detailed proof is given. 



3.5.1 Informal Argument 

The idea behind the proof is the following. 

Consider an arbitrary interval [6, e] and assume that the two design deci- 
sions hold on the interval. This interval can be partitioned into a sequence of 
n intervals of size 30 time units followed by an interval whose size does not 
exceed 30 time units: 
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^ = 30 £ = 30 £ = 30 £<30 




This is a consequence of the following fact of arithmetic: 

Vx > 03n G N3y > 0.{y < 30 A x = 30 • n y) , (3.4) 

where N is the set of natural numbers {0,1,2,...}. 

Consider an arbitrary interval of size 30 time units (or less). For this 
interval, the second design decision Des 2 guarantees that there is at most one 
period where gas is leaking. Furthermore, Desi guarantees that this period 
is at most 1 time unit long. Therefore, gas is leaking for at most 1 time unit 
in any interval of size 30 or less. This property is expressed as follows: 

{Desi A Des 2 ) => ^{£ < 30 JLeak < 1) . 

Using this property for all the n intervals of size 30, we obtain the result 
that gas can be leaking for at most n time units during the first n intervals 
of size 30. This property is formalized as 

0(£ < 30 JLeak < 1) Vn G K3{£ = 30 • n => JLeak < n) . 

Furthermore, since the last interval does not exceed 30 time units, the 
duration of Leak for the full interval is at most n+ 1, i.e. we have the situation 



JLeak < 1 JLeak < 1 JLeak < 1 JLeak < 1 




JLeak < n + 1 



For an interval longer than 60 time units we have n > 2, and, since 

n > 2 20 • (n + 1) < 30 • n , (3.5) 

we have the result that 20 times the duration of Leak does not exceed the 
length of the interval. Thus, the requirement holds for intervals satisfying the 
design decisions. 
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3.5.2 Proof 



This informal argument will now be proved in duration calculus. 

Lemma 3.5 



{Desi A Des 2 ) => < 30 JLeak < 1) . 

Proof. It suffices to establish the following two deductions: 

r [Leak] ^ ^ < 1, 1 

\ ( [Leak] [-iLeak] [Leak] ) ^ > 30 J (3.6) 

I- (/Leak = 0) =► (^ < 30 /Leak < 1) 



and 



/ [Leak] ^ < 1, \ 

\ ([Leak] ^ [-.Leak] '-'[Leak]) ^ ^>30/ (3.7) 

h (/Leak >0) {i < SO ^ /Leak < 1) . 



This is because, combining the deductions using PL and DCA3, we obtain 
/ [Leak] ^ ^ < 1, 

\ ( [Leak] [-Leak] '-'[Leak]) ^ i> 30 
Then, using IL4, we have 

{ (Veak] ^[-L"^ak] ^ [Leak]) => ^ > 30 } ^ ^ ’ 

and, using the deduction theorem (Theorem 3.3) twice together with PL, we 
obtain a proof of Lemma 3.5: 



j h £ < 30 => JLeak < 1 . 



/□([Leakl i<l) \ 

A □(£ < 30 => JLeak < 1) . 

\D(([Leakl ^ [-Leak] [Leak]) £ > 30)/ 



The deduction (3.6) is established by the argument 
JLeak = 0 

=> JLeak < 1 PL 

=> £ < 30 => JLeak < 1 PL, 

without using any assumptions. 
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The deduction (3.7) can be divided further into subcases according to 
/Leak > 0 

^ (/Leak = 0) ^ |[Leak]|^true DC15 

4^ (/Leak = 0) ^(|[Leak]| V ( f Leak] Leak] "^true)) DC23, M, PL 

((/Leak = 0) [Leak]) 

V((/Leak = 0) ^ [Leak] [-i Leak] ^true) IL14 

((JLeak = 0) [Leak]) 

V((/Leak = 0) ^[Leak] ^[-iLeak]) DC23,IL14, 

V((/Leak = 0) [Leak] ^ [-iLeak] [Leak] ^true) M, PL. 

Thus, to establish (3.7) it suffices to establish the following three deduc- 
tions: 

f [Leak] ^ < 1, 1 

\ ( [Leak] "" [-iLeak] ^ [Leak] ) => £ > 30 j (3.8) 

h ((/Leak = 0) ^ [Leak]) => (£ < 30 /Leak < 1) , 

r [Leak] ^ ^ < 1, 1 

\ ([Leak] ""[--Leak] ^[Leak]) £>S0j (3.9) 

h ((/Leak = 0) ^ [Leak]"^ [-iLeak]) ^ (£ < 30 =4" /Leak < 1) , 

r [Leak] => £<1, \ 

\ ([Leak] '^[^Leak] '-'[Leak]) £ > 30 / 

((/Leak = 0) ^ [Leak]"^ [-iLeak] ^ [Leak] ^true) 

^ (£ < 30 /Leak < 1) . 

The deductions of (3.8) and (3.9) are similar to establish, because they 
consider cases with only one period where gas is leaking. So we consider only 
(3.9): 



1. [Leak] => £ < 1 

2. n([Leak] ^ ^ < 1) IL4 

3. (/Leak = 0) ^ [Leak] [-iLeak] 

^ (/Leak = 0) ^ [Leak] -(/Leak = 0) DC12, M 

=> (/Leak = 0)^(^ < l)^(jleak = 0) 2,IL19,PL 

^ (/Leak = 0) ^(/Leak < 1)^(/Leak = 0) DC6, M, PL 
=> (/Leak < 0) ^(/Leak < ij'^^/Leak < 0) M, PL 
/Leak < 1 DCS 

4. (/Leak = 0) "" [Leak] ^ [->Leak] 

=> (£ < 30 => /Leak < 1) 3., PL. 
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In the last case, i.e. (3.10), we consider intervals with at least two periods 
where gas is leaking. The assumptions of (3.10) imply that this can happen 
only for intervals longer than 30 time units, and £ < 30 ^ JLeak < 1 
obviously holds for such intervals. This is the main idea in the following 
deduction: 

1. (fLeakl |[-iLeak1 |[Leak1) ^ > 30 

2. □(([Leak]^[^Leak]'^|[Leakl) =^£>30) l.,IL4 

3. (JLeak = 0) ^ ( |[Leak]| f -iLeak]| ^ f Leak]| ) ^true 

=> true ^ fLeakl ^ ( |[Leak]| f -iLeakf ^ fLeak]! ) ^true DC17, M, A2 
(^ > 0) ^(£ > 0) ^(£ > 30) ^(^ > 0) 2., IL19, M 

AO, PL 

^ > 30 DCS 

4. (JLeak = 0) ^(|[Leak]| ^ f-iLeakl ^ f Leak]] ) ^true 

^ (i< SO => JLeak < 1) 3., PL. 



□ 



Lemma 3.6 

n(i < 30 JLeak < 1) => Vn G N.O(i = 30 • n => JLeak < n) . 

Proof. The proof follows when we apply the deduction theorem to the deduc- 
tion: 



1. ^ < 30 JLeak < 1 




2. D{i < 30 JLeak < 1) 


l.,IL4 


3. £ = 0 • 30 ^ JLeak < 0 


DC6,PL 


4. D(^ = 0 • 30 ^ JLeak < 0) 


3.,IL4 


5. i = {n + l)-30 




A — n • SO => JLeak < n) 




^ = n • 30 -h 30 


PL 


^ (^ = n-30)^(£ =:30) 


L2, PL 


(JLeak <n)'^{£ = 30) 


IL19,M 


(JLeak < n) ^ (JLeak < 1) 


2.,IL19,M 


=> JLeak < n -1- 1 


IL6 


6. n(£ = n • 30 JLeak < n) 




(£ = (n -f 1) • 30 JLeak < n H- 1) 


5., PL 



7. □(£ = n • 30 JLeak < n) 

=> n[£ = (n H- 1) • 30 => JLeak < n -j- 1) 6., IL6 

8. Vn G N.O[£ = n • 30 JLeak < n) 4., 7., PL, 



where induction on natural numbers is used in the last step. 



□ 
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Theorem 3.6 

{Desi f\ Des 2 ) GbReq. 

Proof. The proof is established by applying the deduction theorem to the 
following deduction: 



1. [Leak] ^i<l 

2. Desi 

3. (I’Leak’l ^ |’->Leak’| "" fLeakl) £> SO 

4. Des2 

5. £ > 60 

3n e N.3y > 0.(n >2A2/<30A^ = n-30 + ?/) 

6. n > 2 A ?/ < 30 A (£ = n ■ 30 + 2 /) 

(£ = n • 30) < 30) 

( JLeak < n)'~'(£ < 30) 

=?> (JLeak < n) ^ (JLeak < 1) 

=> JLeak < n + 1 
=!> 20 ■ JLeak < £ 

7. £ > 60 =;> 20 • JLeak < £ 



1.. 1L4 

2.. 1L4 

(3.4) , PL 

L2, PL 

2.. 4.,LM3.5, 

LM3.6, PL, M 

2.. 4.,LM3.5, PL, M 
DCA5 

(3.5) , PL 

5., 6., PL. 



(In the above deduction, the abbreviation “LM” means “Lemma”.) 



□ 




4. Deadline-Driven Scheduler 



The deadline- driven scheduler of Liu and Layland [85] is considered in this 
chapter. The main idea of the scheduler was given in Chap. 1. The correct- 
ness proof for the deadline-driven scheduler will be carried out carefully to 
illustrate that the proof theory of the previous two chapters can manage a 
nontrivial proof. The steps of the proof wil not, however, be given in as much 
detail as in the previous chapters and we shall omit some simple steps and 
annotations that we have described earlier. 

The theorem to be formalized in DC and proved is: 

Theorem 4.1 (Liu and Layland) For a given set of m processes, the 
deadline- driven scheduler is feasible if and only if 

(Cl/Ti) + {C2/T2) + • • • + (Cm/Tm) <1 { 0 <Ci<Ti), 

where Ci and Ti are the run time and request period, respectively, of the ith 
process, and Ti , T 2 , . . . , are integers. 

In [85], there is an informal description of the algorithm and an informal 
proof of the theorem. The formal proof presented in this chapter is based on 
[ 160 ]. 

4.1 Formalization of the Deadline-Driven Scheduler 

The deadline-driven scheduler is formalized by specifying: 

• several processes running on the same processor, 

• the running time, periodic requests and deadlines for each process, 

• the requirements for each process, and 

• the scheduling algorithm. 

Suppose that m processes pi, . . . ,Pm are given. Let 
a = 
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The behavior of the processes and the scheduler are described using three 

kinds of state variables: 

Runj : Time — ^ {O?!} 

Stdi : Time {O5I} 

Urgy : Time ^ { 0 , 1 } , 

where i^j G a. 

The intention is that 

• Runi(f) = 1 if Pi is running on the processor at time t, while Runi(^) = 0 
if Pi is not running at t. 

• Stdi{t) — 1 means that the current request of pi is still standing at time t, 
while Stdi{t) = 0 means that at t the current request of pi is not standing, 
i.e. it has been fulfilled. 

• Urgi^ (t) = 1 if Pi is more urgent than pj at in the sense that the next 
deadline of pi is closer than the next deadline of pj . 

4.1.1 Shared Processor 

A process is only running if it has a standing request to do so: 

Ax = IFRuni] =?> [Stdj] . 

Since all processes use the same processor, at most one process can run 

at any time: 



As = [Runi] ^ /\|f-.Run^l . 

These properties must hold for every process and every interval: 

ShP = D /\{Ai A As). 

i£a 

The formula ShP implies that the sum of the running times for all pro- 
cesses cannot exceed the interval length: 

Lemma 4.1 

ShP => /Runi) < £ . 

i^a 

Proof. A proof can be given as follows: 

ShP 

^(EieaM^^i) = f(VieaR^nx) DC 13 
^ ^ ^ DC6. 

□ 
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Using this lemma and DC 14, we can derive the following lemma, which 
expresses the fact that the accumulated running time of a set of processes adds 
up to (and does not exceed) the interval length, on an interval throughout 
which they are running. 

Lemma 4.2 For any /? C a; 

{ShP A [ ^ Run^l ) ^ /Runj = i . 

iei3 ie(3 



4.1.2 Periodic Requests and Deadlines 

Each process pi has a periodic request for processor time. The period is 
Ti > 0 and the process requires a processor time > 0 in each period. 
We assume that all processes raise their first requests simultaneously, say at 
time 0. Hence, all arguments are restricted to intervals starting at 0 and their 
subintervals. By Theorem 3.1, this restriction does not affect the validity of 
formulas, and it is therefore invisible. 

Thus, the request periods of pi start at times • Tj, for A: = 0, 1, 2, 3, . . . , 
and the time point k • Ti (k > 1) is the deadline for process piS A:th request. 

To capture the deadlines of process pi, we define a predicate dLinei which 
holds for intervals whose end point is a multiple of the period Ti of pi. This 
predicate is defined by 

dLinei = Ti \ £ , which reads: “interval end point is a deadline of pi\ 

where x | y reads: “x divides or is a multiple of x” , which is true if there 
is a natural number k such that k • x = y. Thus, dLinei holds for intervals 
which can be partitioned into a number of intervals each having length T^. 

For any real number z > 0, we can find a natural number A: > 0 and a 
real number r, where 0 < r < and z = A: • + r. 

Thus, by the definition of dLinei and L2, we have 

{£ = z) ^ {dLinei^ {£ < Ti)) 

and, hence, by AO, 

dLinei ^{£ <Ti) 

holds on any interval, i.e. any interval can be partitioned into a (possibly 
empty) sequence of periods of length Ti and a possibly not completed period. 
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In the proof of Liu and Layland’s theorem, we must be precise about the 

deadlines of a process at interval end points. To this end, we use the following 

conventions: 

• Any interval of the form (6, e) = {x G M [ 6 < a: < e} is called an open 
interval 

• Any interval of the form (6, e] = {x G M | & < x < e} is called a left open 
interval 

• Any interval of the form [6, e) = {x G M | 6 < x < e} is called a right open 
interval 

• Any interval of the form [&, e] = {x G E | 6 < x < e} is called a closed 
interval or just an interval. 

For example, 

• the formula dLinei ^(0 < £ < x) reads has a deadline in the last open 
interval of length x”, provided that the length of the whole interval is 
greater than or equal to x, and 

• the formula ^{dLinei^{i < x)) reads has no deadline in the last left 
open interval of length x” . 

The specification of the periodic requests of process pi is partitioned into 

specifications for the last period and specifications for every period. 



Specifications Concerning the Last Period of pi 



The last period must start with a standing request for processor time: 



StartRequest^ 



dLinei 



£ <T 

A([l V ([Stdil -^true)) 



A standing request for processor time may disappear only when the pro- 
cess has finished its task. This is expressed as follows: if Stdj changes to 0, 
then the task for pi must be completed: 



HoldRequestj^ 



(AjRunUCi)) ) 



A standing request for processor time must disappear when the task is 
completed. This is expressed as follows: it is not the case that Stdj holds in 
a period when the task is completed for this period: 



Dis appear Request 



^dLinei 



£<Ti 

A ((fRuni = Ci ) ' 



^OlStdil) 
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Specifications Concerning Every Period 

The three formulas above must hold for every process and for every prefix 
interval, i.e. the specification of the periodic requests for the running time 
for the m processes is 

PrR = Dp yy {StartRequesti A HoldRequest^ A Disappear Request . 

i^a 

To formulate upper and lower bounds on the running time of processes, 
we use the ceiling ([_]) and floor ([_J) functions, where 

• [x] is the smallest integer greater than or equal to x, and 

• [xj is the largest integer not exceeding x. 

Hence, 

• \£/Ti] denotes the number of periods started by process pi in a given 
interval, 

• [i/Ti\ denotes the number of full periods completed by process pi, and 

• \i/Ti] 'Ci denotes the upper hound on the running time of pi in an interval. 

The following lemma says that ShP and PrR can guarantee that process 
Pi does not get too much processor time granted: 

Lemma 4.3 For any i E a: 

{ShP A PrR) => jRurii < \£/Ti] • Ci . 

Proof. A proof of the lemma can have the following steps: 

(a) {ShP A PrR) ^ {dLinet ^{{i < Ti) A (/Run^ < Ci))). 

(b) {ShP A PrR) => Up{dLinci ^{{^ < Ti) A (Jllunj < Ci))). 

(c) {ShP A PrR) => fRuni < \i/Ti^ • Ci. 

It is not difficult to establish step (a). From dLinci ^{i < Ti), PL and IL14, 
we have 

{dLinci ^ {£ < Ti A JHunj < Ci)) V {dLinCi ^{i <Ti A Jllun^ > Ci)) . 

Furthermore, we can establish 

ShP A PrR A {dLinCi '^{i <Ti A /Run^ > Ci)) 

=> dLinei'^{£ <Ti A (Jllunj — Ci^ [Runi] ^true)) DC31 

=> dLinCi'^ li <Ti A (/Run^ = Ci ^OfStdj]])) ShP 

=> false Disappear Request i^. 

Step (b) can be derived from step (a) by use of IL25, IL28, IL36 and IL32. 
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Step (c) can be derived from (b) by establishing 

{ShP A PrR A {{dLinei A£ = k < Ti))) => Jllunj < (A: -f 1) * 

by induction on the natural number k. □ 

Since Ti > Ci, process pi cannot occupy the processor for an entire request 
period. This property is implied by ShP and PrR. 

Lemma 4.4 

{ShP A PrR) Dp -^{dLinei ^([Run^l A{£ = Ti))) . 

iEa 

Proof. We prove {ShP A PrR) ->{dLinei^{^Runi} A{£ = Ti))). 



ydLinei 



£ = Ti 
A irRuni] 



A ShP A PrR 



=> dLinei 



' £ = Ti 

A (/Runj = Ci^ |[Runi]| ""true) 



{Ti >Ci), DC31 



=> dLinei 
=> false 



' £ = Ti 

A {fRuiii = Ci^O[Stdi]) 



ShP 

Dis appear Request i . 



The remaining part is proved as in step (b) above. □ 

A simple consequence of this lemma is that a process can have at most 
one deadline in a closed interval throughout which it is running, as 



ShP A PrR 

A {dLinei ^(|[Runj]| A {£ = Ti)) ^true) , 



by the definition of Dp, would contradict Lemma 4.4. Hence, we have the 
following lemma. 

Lemma 4.5 For any i E: a: 



f ShP A PrR 
\A (true^dfRuni] A£ = x)) 



I 0 <y Ay + Ti < X \ 
^ ~^3y. j A {dLinei ""{£ = Ti + y)) 1 
\A {dLinei^ {£ = y)) ) 



4.1.3 Requirement 

The requirement for the deadline-driven scheduler is that every process com- 
pletes its task in every request period. For the process p*, we have the condi- 
tion that the length of the request period is and that it must occupy the 
processor for Ci to complete its task in a period. Given Lemma 4.3, which 
sets an upper bound on the running time, we specify here the requirement 
for the lower bound. 
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The lower bound on the running time for process pi over an interval is 
given by the product of the number of full periods and the required 

processor time Ci for each period: 

req^ = Jtlun^ > • Ci , for i G a. 

This must hold for every prefix interval and every process: 

Req^ = ^preq ^ , for i G a, 

The following lemma asserts that a violation of the requirement formu- 
lated above cannot be discovered until a request period is finished. 



Lemma 4.6 For any i G a; 



/ Reqi'~'{e = x) 

\A^{dLinei"^{i < x)) 



=> Req j . 



Proof. The formula -^{dLinei < x)) means that pi has no deadline in the 
last left open interval of length x, so consider the following situation: 



no deadline of pi 

Req^ £ — X 

{ — 1 

0 me 

Since there is no deadline of i.e. no multiple of Ti in (m, e], we have the 
result (from the definition of the floor operator) that the value of • Ct 

does not change in (m,e]. Therefore, Req^ holds on [0,e]. The details of the 
proof will not be presented. □ 

When Pi does not have a standing request, its requirement is fulfilled 
for the current period (HoldRequesti) . Moreover, if p^’s requirement is also 
fulfilled for all the previous periods, then its running time in the entire interval 
reaches the upper bound: 

Lemma 4.7 For any i G a; 

f ShPAPrR \ ^ f /auiii = • (7A 

\A{Reqi'^f^Stdi1)J \AReqi ) ' 

Proof. Notice that pi (by StartRequesti) cannot have a deadline in a right 
open interval where |f-iStdi]| holds. That is, we have 

{Reqi ^ f-iStdj]|) A ShP A PrR 

[ dLinCi \ ^ ^ A ^ rror 

(a jUun, > [m\ ■ cj (a true ^ f-Std ,! ) IL35 

f dLinCi \ ^ f ^ ^Ti \ 

^ [a jRnni > (e/Ti) -cj [a JUum = cj HoldRequest^ 

^ jRum = l£/Ti] • Ci DCA5, LM4.3. 
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Since 



/ StartRequesti 

M = x)) 



~'{dLinei'^{C < x)) , 



the remaining part of the proof follows from Lemma 4.6. 



□ 



4.1.4 Scheduler 

The role of the scheduler is to grant processes running time such that each 
process meets all its deadlines. The nearest deadline of process pi at a given 
time t is the start of the next period; it can be calculated from 

(LVTiJ + l)-T,, 

and the distance to the nearest deadline of pi is defined by 
disti{t) = {[t/Ti\ -i-1) -Ti-t. 

A process pi is more urgent than a process pj at t > 0, if the distance to 
Pi’s nearest deadline is smaller than pj’s distance to its nearest deadline, i.e. 
if disti{t) < distj{t). Therefore, the state variable Urg^^ can be characterized 
by the formula Urgent^j, defined by 

/ / (^ = 2:) [UrgiJ 

Va;. ( 0 < a; < ^ 

\ \Vz.(x < z < £ ^ disti{z) < distj{z)) 

Notice that |TUrg^^]| is impossible. 

We introduce the abbreviation 

Urgent = Dp Urgent . 

ijEot 




The following lemma is a direct consequence of Urgent. 



Lemma 4.8 For any i,j G a: 



( Urgent Ayi <V2 
A {dLinei'^(i = yi)) 

A {dLincj '~' {i = y2< Tj)) 



true^ 



^ = 2/2 - 2/1 
A [Urgy1 



Proof. The following diagram illustrates the antecedent: 



'(^ = 2/1) 



f 

0 



dLinej 



Pj has no deadline 
Tj>^ = 2/2 



mi 



m2 

-I- 



^ = 2/1 



e 

-I 



dLinei 
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The lemma follows from the fact that pj has no deadline in (mi, m2] and 
that disti{z) = m 2 - z < distj{z) for all z G (mi, m2). O 

This lemma can easily be generalized to a situation where every process 
Pi, for i £ has a deadline in the last left open interval of length p, while 
no process pj, for j G 7, has a deadline in the last closed interval of length y: 

Lemma 4.9 For any C a: 

( Urgent \ 

A/Ki^lsidLinei-^ie <y)) ^ f\ = y)) . 

A -^{dLinCj ^{l< y))J i€0j€7 

Note that a process which has no standing request may be more urgent 
than a process which has a standing request. The scheduler must guarantee 
that one of the most urgent processes with standing requests will occupy the 
processor at any time. This is formalized in two steps. 

The formula 

Schi = □ Aijea -'[Urgy A Run^ A Stdi] 

expresses the condition that a less urgent process cannot be running when a 
more urgent process has a standing request for processor time. 

A simple consequence of Schi is that if a process pj is running throughout 
a left open interval where it does not have a deadline, then any other process, 
say Pi, can have at most one deadline in the corresponding closed interval. 
This is because there would otherwise be an interval where pi was more urgent 
than Pj, and pj was running despite the fact that pi had a standing request: 

Lemma 4.10 For i^j G a, where i ^ j: 

( PrR A Urgent A Sch\ \ /0<yi<y2<y\ 

A (true^([Runj]| A^ = t/)) j ^ ->3yi,t/2- | A (dlmcj = 2/i) j . 

A -'{dLincj < y)) J \A {dLinci '~'£ = 2 / 2 ) / 

Proof. The following diagram shows the situation where pi has two deadlines 
mi and m2 in a closed interval throughout which pj is running. 





dLinej 


[Run^l 

Pj has no deadline 




0 




mi m2 


e 






1 1 

^ V " 


* 






rurg,,i 








[Stdi]|""true 
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Since pj has no deadline in the left open interval where it is running, pi is 
(by Urgent) more urgent than pj in the interval [mi, m 2 ], i.e. |[Urg^^1 holds 
on [mi, m 2 ]. Furthermore, by PriZ, |[Stdi]| holds on a right neighborhood 
interval of mi, and we have reached a contradiction with Schi on this right 
neighborhood of mi . □ 

The formula Sch\ is, however, true for intervals where no process is run- 
ning, despite the fact that some processes have standing requests for proces- 
sor time. The following formula guarantees that some process will be running 
when there exists a process which has a standing request for processor time: 

Sch2 = f\ □([Stdil =>\\J Runjl). 

j^ot 

Note that Sch 2 specifies a scheduler with no overhead. 

On an interval where no process is running we have, by 5c/i2, the result 
that no process has a standing request. Thus, by Lemma 4.7, we obtain the 
result that if an interval where Req holds is followed by an interval where no 
process is running, then Req holds on the whole interval: 

Lemma 4.11 

/ ShP A PrR A Sch 2 \ p 

The formulas Schi and Sch 2 together specify that at any time, one of the 
most urgent processes with a standing request must be running. Therefore, 
the deadline-driven scheduler can be specified as follows: 

Sch = Urgent A Sch\ A Sch 2 . 



4.2 Liu and Layland’s Theorem 

The theorem of Liu and Layland has two parts. One part is the necessity 
of the condition C'i/Ti < 1) for the correctness of the scheduler. The 

other part is the sufficiency of this condition for the correctness. 



Necessity 
Consider the formula 

{ShP A PrR A Sch A Req) => < 1 • 

The condition < 1) is necessary if we can find an interval such 

that the above formula must hold on the interval. 




4.2 Liu and Layland’s Theorem 
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That is, we must find a value of x such that the following formula holds: 

{{^ ^x)^ ShP A PrR A Sch A Req) ^ ^ • 

This part is not diflScult, as we can choose x ~ T\ • Tm> Note 

that each Ti divides x (i.e. Ti \ x), because the Ti {i G a) are integers. The 
necessity part is proved as follows: 

( ^ = Ti . T2 Tm \ 

\A ShP A PrR A Sch A Req J 
=> Aie,. > [e/Ti\ • Ci Req, IL27 

^ Aiea ■ Ci L^/TiJ = IfTi 

^l>l- (Eiea CijTi) LM4.1 

^ SiGa ^ ^ • 



Sufficiency 



This part is the difficult part of the proof of Liu and Layland’s theorem. 

Before giving this proof, we establish some further lemmas. The first 
lemma expresses the fact that, for a given subset C o;, if an interval can be 
chopped into two parts such that 

1. the run time of any process pi with i E /3 reaches \i/Ti] • Ci in the first 
interval, and 

2. the accumulated run time of processes in P in the second interval equals 
the length of the interval, 

then the sum of the accumulated run time for the processes in P will be no 
less than Eie/sL^/^^J ' Ci, provided (J^i^fiCi/Ti < 1). 

Lemma 4.12 For any /? C a: 



i^iep ^ 1 ) ^ 



((Aie^ JHun, = \i!Ti\ ■ Ci) -(Eig^ jHun^ = 1)) 
^ "Yhi^is /R-unj > Eie^ ■ Ci 



Proof. We have, from real arithmetic, the fact that 



[z/y\ < \{z - x)ly\ + Ix/y) , if > a; > 0 and y > 0. 



(4.1) 




78 



4. Deadline-Driven Scheduler 



This fact is used in the following proof: 



fRuui = \^|Ti^ • c) ^ = 

Eie/3 = Eie/3 \xjTi'\ -Ci + ii-x) 

=> Y' fiiun > ( • Ci \ 

^ - 1 + (^ - Zie0 Ci/Ti) 

Jibuti, > 



L2, DCA5 



^ Ei60 Jliuni > Yie0{\^!T{\ + L(^ - a:)/T,J) ■ Ci PL 
^ 'YlrieB Ji^unj > X^jgflL^/rjJ • Ci (4.1 



{i-x)!Ti> 

W-x)!Ti\ 



Spec = {ShP A PrR A A {Yi^a < 1) 



In the next lemma we consider an interval and a subset /? C a, where every 
process pi, for i G does not exceed its lower bound for processor time (e.g. 
Pi has no processor time in its last, unfinished period in the interval): 

AzG /3 ^ L^/^d * • 

If this interval can be partitioned into two parts, where 

1. every process with i G reaches its upper bound for processor time 
(e.g. Pi has processor time in all periods, possibly including a last, unfin- 
ished period in this part) in the first part, and 

2. throughout the second part, processes p^, with i G are running, 

then the requirement holds on this interval, for all processes in (3. 

Lemma 4.13 For any /3 C a: 

/ Spec A Aie /3 < L^/T*J • Ci 

((Aie/3 = \e/Ti] • C,) Run,l) 

Proof. The following fact from real arithmetic will be used in the proof of 
this this lemma: 




(Er=i > Er=i ^0) ^ K=iixi > ki) . 



(4.2) 
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The lemma is proved as follows: 

Spec A fRuiii < [llTi\ • Ci 

A ((AiG/3 = \^|Ti^ • ^i) ^ rVie/3 

^ (A,e^ JHun, = r^/T,l . C.) -(EiG/3 = i) LM4.2 

=> E.e/3 > Eie^ mi\ • LM4.12 

^ (4.2). 

□ 

The following lemma concerns the situation where the requirement holds 
for process pi until an interval throughout which a process pj is running. 
Furthermore, in this situation we know that pj has no deadline in the last 
open interval where it is running (i.e. ~>{dLinej ^{0 < i < x)) holds) and 
that Pi’s requirement is satisfied on the whole interval, but not necessarily 
on those prefix intervals ending in the last open interval where pj is running. 

The lemma “fills the gap” by guaranteeing that pi’s requirement in fact 
holds on all prefix intervals, including those ending in the open interval where 
Pj is running. 

Lemma 4.14 For all G a: 

/ Spec 

A {Reqi^{e A [Runjl)) 

A -^{dLincj < i < x)) 

\A req^ 

Proof. We consider the following situation: 





We split the proof into three cases: 

1. Pi has no deadline in (a, e]: ^{dLinei"^{£ < x)). 

2. Pi has e as its deadline: dLinci. 

3. Pi has a deadline in (a, e): dLinCi '^{O < £ < x). 

Case 1: When pi has no deadline in (a, e], we have, by Lemma 4.6, the result 
that RcQi holds on [0,e]. 
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Case 2: In this case Pi has e as its deadline. 

We first show that pi cannot have a further deadline in (a, e), i.e. 



( Spec ^ 

A (Reqi '~'{£ = x A [Run^D) 

A dLinCi 

A ^{dLinCj ^{0 < £ < x)) 

\A req^ / 



=> -^{dLinCi "^(0 < £ < x)) 



must hold, li i — j this is obvious. If i ^ j and pi has a deadline in (a, e), 
then we have the result that -^req^^ holds on [0, e]: 

Spec 

A {Req^ ^{£ — X A [RunjD) 

A dLinCi '^{£ = Ti < x) 

^ (fRuni < l/Ti • Ci) = TiA [Run^D LM4.3, DC16 
^ {jRuui < £/Ti ^Ci)-{£ = Ti A I -Run^] ) ShP 
=> (fRuni < £!Ti • Ci) -{£ = Ti A fRum = 0) DC12 
JRun^ < £jTi • Ci , 



where the last step follows from DCA5 and the following fact from real arith- 
metic: 



(ri < x/Ti • Ci A T2 = 0) => ri + f2 < (x + Ti)/Ti • Ci . 



According to IL30, it suffices to prove 



( Spec \ 

A(Reqi^(l = x)) 

A dLinCi 

A -^(dLinei "^(0 < £ < x)) 
\A reqi / 



Vz > 0.((z < £) (f'^Qi = ^)) • 



We divide the proof into three cases: z = 0,0<z<x and x < z < £. 
The case z = 0 is trivial: reqi => ^(£ = 0)) by L3. 

The case 0 < z < x follows from 



/ {Reqi'^ie = X- z)) 
y A -^(dLinCi '^(£ < x — z)) 
Reqi'^i^ = z) 
reqi'"{i = z) 



LM4.6 

IL27. 



The case x < z < £ follows from 



Reqi ^(£ = x) 

req,'~^{£ = z — x) '~'(£ = x) IL30 
^reqi'^(£ = z) L2. 
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Case 3: In this case pi has one deadline in (a, e). 

By the same argument as used in Case 2, we have the result that pi cannot 
have two deadlines in (a, e), i.e. 



( Spec \ 

A {ReQi ^{i = x A [Run^])) 

A {dLinei = y < x Ay > 0)) 

A -^{dLinej ^{0 < i < x)) 

\Areqi 



(dLinei ^{£ < y)) . 



Since pj is running and has no deadline in (a, e), there is a right neigh- 
borhood of a where pi is more urgent than pj , pj is running, and therefore pi 
has no standing request. Thus, we have by Lemma 4.7 and Lemma 4.6 the 
result that ReQi holds on [0,e]: 



Spec 

A (Req^^{£ — x A [Runj])) 

A ^(dLinej ^(0 < £ < x)) 

A (dLinei = y < x)) 

A ^(dLinei '^(i < y)) 

=> dLinej ^(£ > x) 

=> '"([Urgyl A{i = x-y))'~'{i = y) 
=> Req^ ^ [Urgy A Runjl ■~'{i = y) 

^ [-'Stdil ^{i = y) 

=> ReQi^i^ = y) 

ReQi 



since -^(dLinej ^(0 < £ < x)) 

LM4.8 

DC16,DC19 

Schi 



LM4.7 

LM4.6. 



□ 



We shall now prove the main theorem of this chapter, i.e. the sufficiency 
part of Liu and Layland’s theorem. The proof will rely on the lemmas proved 
in the previous sections. 

The formal proofs needed to prove the sufficiency part are no more difficult 
than those we have seen so far. Therefore, the proof of the theorem will be 
given in a less detailed manner. 

Theorem 4.2 (Sufficiency) 



Spec => Req 



Proof. The proof is by induction, using 

1. Aiea “'Run^ and 

2. Runj, for j G a, 

as the complete set of states. 

We shall use Theorem 3.4, where H(X) is 

X (Spec Req ) , 
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which is the induction hypothesis. The induction hypothesis is equivalent to 
(X A Spec) => Req . 

Note that 

Spec Up Spec 

by IL25 and IL28, i.e. when Spec holds on an interval, it holds on all prefix 
intervals as well. 

We must consider one base case and two inductive steps. 

Base case: The requirement Req must hold for the point interval |[ ]| . This is 
trivial, as each process obviously has its request fulfilled for that interval. 

Inductive step 1: By Theorem 3.4, we must establish 

{X A Spec) ^ Req h ((X "" |[/\.^^ -<Runi]|) A 5pec) Req. 

The deduction 

[Aiea -'Runill ) A Spec 

^{X A Spec) ^ [Ai€a IL25, IL28, IL35 

=> Req [Ai€a “’R'Unj] Assumption, 

shows that, for this inductive step, it suffices to prove that Req holds for 
an arbitrary interval of the form Req'^ff\-^^ -iRun^]! under the assumption 
that Spec holds for the interval, i.e. 

( Spec 

A(i?eg'^[Ai6a“'R'Unil) 

Hence, the proof of this inductive step follows from Lemma 4.11. 

Inductive step 2: We must establish 

{X A Spec) ^ Req h ((X ^ |[Runjo]|) A 5pec) Req, 
for every jo G a. 

By an argument similar to the one above, it suffices to prove 



for all i E a. 

The proof of this inductive step is divided into two cases according to 
whether pj^ has a deadline in the last left open interval in which it is running. 
The process pj^ cannot have two deadlines in a closed interval throughout 
which it is running, since the period of a process is strictly greater than the 
processor time it requests in each period {Cjq < Tjo) (see Lemma 4.5). 



(iZeg'^fRuujJ) 



J ^ Req . 
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Case 1: Process pj^ has no deadline in the last left open interval in which it 
is running, i.e. for this case we must prove 

/ Spec \ 

I A (i^e(/^([Run^ol A £ = y)) | => Reqi , 

\A-^{dLinejQ < y) J 
for all i E a. 

Let i be an arbitrary element in a. Either pi has a deadline in the last left 
open interval of length y or it has no deadline in this interval. The process 
Pi cannot have two or more deadlines in the closed interval in which pj^ is 
running (see Lemma 4.10). 

Suppose -^{dLinei ^(£ < y)), i.e. pi has no deadline in the last left open 
interval of length y: 

0 a e 

1 1 1 

' V V " 

Reqi £ = y 

Pi has no deadline in (a, e] 

By Lemma 4.6, Reqi holds for the whole interval [0, e], since does not 

change in the interval (a, e]. 

Suppose dLinei '^{£ < y)^ i.e. pi has one deadline (at time b) in the last 
left open interval of length y: 



Req^ PjQ has no deadline in (a, e] 



fUrg^^-^l Pi has no deadline in (6, e] 

[-nStdi] 

The process pi is more urgent than the process pj^ in the interval [a, 6], 
because & is a deadline for pi and pj^ has no deadline in (a, e]. Since pj^ is 
running throughout [a, 6], pi has no request standing in this interval. Thus 
Reqi holds on [0, b] by Lemma 4.7 and, by Lemma 4.6, also on [0, e]. 

The proof for Case 1 is now completed. 

Case 2: Process pj^ has one deadline in the last left open interval in which it 
is running, i.e. for this case we must prove 

/ Spec \ 

A (fie9^([RunjJ Ai = y)) =» Reqi , 

\A {dLinejo^{£ <y)) J 



for all i G a. 
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Suppose pjQ has one deadline (at time b) in the last left open interval of 
length y, i.e. we have the situation 



Req t — x Pjo has no deadline in (6, e] 




[Run^ol 



If we can prove that Req^ holds on the interval [0,6] (for all i e a) ^ then 
we have finished, because the proof of Case 1 implies that Req^ (for all i G a) 
holds on [0, e] also. 

Thus, to finish the proof we must establish 
/ Spec 

A (Reg'^CfRuiijJ M = x)) 

A dLinejQ 

-^{dLinejQ ""{0 < £ < x)) 
for all i e a. 

According to Lemma 4.14, it suffices to prove 
Spec 

A (i^eg""(|[Runjo1 = x)) 

A dLincjQ 

A ^{dLinej^ "^{0 < £ < x)) 
for all i e a. 

To prove this for an interval [0,6], we partition the processes into two 
groups according to whether they have used the processor in their last unfin- 
ished period in [0,6]. 

To express this precisely, let a< and o;> be two sets such that 
a = a< U Q!>, q;< n q:> =0 

and, for the interval [0, 6], we have the following: 

1. For j G Q!<: jRun^- < [C/Tj\ ■ Cj. 

2. For k ^ay\ JRunfc > • Ck- 

Since 





fRunk > [£ITk\ • Ck => req^ , 

we only need to consider processes pj, for j G a<, in the following. 
Since 6 is a deadline for pj ^ , we have the result that 

/Runj„ < ■ Cj„ 
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holds on [0,6] (by Lemma 4.3 and since when and 

therefore jo G a<. Hence we have the following situation: 



Req 

f — 

0 



fRun^ol 

PjQ has no deadline in (a, b) 



¥ 

a 



-An. 



b 



We use DC24, i.e. 



(true"^|'Vjga< R-unjl) 



^VJ6a< Runjl \ 

V (true'^fAiea “'Runi] ^ [Vjea< R-uiijl) 
\V (true^|[VfcGa> RuUfcl ^ |[VjGa< R-UUjDy 



to split the proof into three cases. 

Case 2a: The interval [0,6] satisfies [VjGa< 
Since 



^ — 0 => yy i^unj — \£/Tj~\ • Cj , 

j^Oi< 

we can establish Ajea< Lemma 4.13. 

Case 2h: The interval satisfies true^f/\.^^ -iRunj"! "^rVjGa< 

In the diagram below, we know that c must be smaller than or equal to 
a and, furthermore, we have exploited the fact that if the requirement Req 
holds on an interval ([0,a]), then Req holds on all prefix intervals also (i.e. 
for [0, cd in the diagram). 



Req FVjGa< 

f ' I ^ 4::'^ ^ t 

0 d c 6 

On an interval where no process is running, no process can have (by Sch) 
a request standing, and we can use Lemma 4.7 to show that 

/\ fRurii = \e/Ti] • Q 

i£a 

holds on [0,c]. We can establish Ajgq!< Lemma 4.13. 
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Case 2c: The interval satisfies true "" |[VfcGa> 

In the diagram below, we know that c must be smaller than or equal to 
a and therefore Req holds on [0, c]. 



fVfc€a> irVj6a< Ruil^l 

, 1 ^ I " I 

0 d c b 



Req 

We have the following: 

1. A process pk, k G o;>, has no deadline in [c, 6], as /Runj^ > [i/Tk\ • Ck 
holds on [0, b] and pk is not running in [c, b]. 

2. If a process pj, for j e has no deadline in (c, 6], then we have the 
situation 



Pj has no deadline in (c, b] 



/Ruiij > [e/Tj\ ■ Cj [->Runj]l 



f 




1 




1 


0 




C 




b 













/Runj < [i/Tj\ ■ Cj 



where we have exploited the fact that Req holds on [0,c]. We have that 
If-iRunjl holds on [c, &], because if pj were running somewhere in [c, 6] 
then fRunj > • Cj would hold on [0, &], as does not change 

in (c, 6]. 

Let /^ = (j ^ o^< I Pj has a deadline in (c, 6]}. 

By 2. above, only processes pj, with j e /?, can be running in [c, 6], and 
we have the situation 



fVfc6a> Runfcl 

I f ^ 

0 d c 

' ' 

Afcea>j6/3 (true^rUrgj;^!) 

Aje/3 (true'^f-nStdjl) 






b 



Every process pj, j E P, has a deadline in (c, 6], while no process Pk, k e a^, 
has a deadline in [c, b]. Hence, by Lemma 4.9, there is a left neighborhood of 
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c where any pj is more urgent than any pk- In this neighborhood pj has no 
request standing, because processes from a> are running in that neighbor- 
hood. 

Using Lemma 4.7, we obtain the result that 

/\ jUun,- = • Cj 

je(3 

holds on [0, c], and, furthermore, by Lemma 4.13, that reqj holds on [0, b] for 
all j e /?. 

A process pi where i ^ /3 has no deadline in (c, b] . Since Req^ holds on 
[0,c], we have, by Lemma 4.6, the result that Req^^ holds on [0,6] also. 

The proof is thereby completed. □ 




5. Relative Completeness 



In this chapter, we consider the question of whether there is a proof for 
every valid formula of DC, i.e. whether the proof system of DC is complete. 
When using DC formulas in specifications, we want J5 to be the integral 
of a Boolean- valued function. Therefore, to show the completeness of DC, it 
must be shown that the axioms DCAl - DCA6, together with the rules IRl 
and IR2 and the axioms and rules of IL, are enough to ensure that temporal 
variables of the form JS are definable by integrals. 

In so doing, functions and constants, e.g. -h and 0, must be interpreted as 
real functions and constants, and the chop modality '^occurring in the axioms 
must be interpreted as a modality that chops intervals of real numbers. 

Since we shall avoid the issue of formalization of real arithmetic in this 
book, the completeness result for DC presented here is a relative- completeness 
result, where valid IL formulas (with respect to a model based on real num- 
bers) are taken as provable formulas. 

To formalize this notion, let XC be the set of all valid IL formulas, and we 
define XCdc to be the set of all DC instances of formulas of i.e. a formula 
^dc ^ XCdc is obtained from a formula ip G XC as follows: let v\^. . . ^Vn be 
the temporal variables occurring in if] then ifdc is obtained by replacing every 
occurrence of vi with fSi, for some state expression Si and for 1 < i < n. 

Each formula (pdc is a valid DC formula, since (p is a valid IL formula, and 
we shall take XCdc as the provable formula set of DC provided by IL. 

The theorem of relative completeness is that 

1= (j) implies XCdc b (j ) , 
for every formula 0 of DC. 

We first sketch the main ideas behind the proof of this theorem. The proof 
then follows. 



5.1 Ideas Behind the Proof 

For every valid DC formula 0, i.e. |= (/>, we must show the existence of a DC 
deduction XCdc b 0- We shall in fact give a deduction of XCdc b 0 which uses 
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the axioms of DC together with DCl and DC2, but not the induction rules 
IRl and IR2. 

This deduction of XCdc h 0 can be considered to be an IL deduction: 

XCdc^ DCR h (f ) , 

where DCR denotes the infinite set of all instances of DCAl - DCA6, DCl 
and DC2, and temporal variables have the form of durations. 

However, for the given (/>, we construct an IL formula, iJ^, having vi,V 2 ,. . . 
as temporal variables, with the property that a deduction 

XCdc-, DCR h (j) 

can be constructed from an IL deduction 



h , 

where (f)h is obtained from (j) by “properly” replacing durations JSi with 
temporal variables Vi, and the formula H(j) provides a finite encoding in IL of 
an essential part of DCR. 

Using the deduction theorem of IL, we have the result that 
XC, H(f) h (j)h iff XC h OHfj) ^ (j)h . 

The main part of the proof is to show that is a valid IL 

formula, i.e. an element of XC, if (/> is a valid DC formula. 

Therefore, if |= (/>, we have the result that (l>h) C XC, and that 

the DC formula OH => (j), obtained from by “properly” replacing 

temporal variables vi with durations JSi, is a member of XCdc- Thus, 

XCdc h (f) . 

The formula iiT is a conjunction of a finite number of instances of DC axioms 
and DCl and DC2, and a deduction of XCdc b (/) is then easily achieved. 



5.2 Proof of Relative Completeness 

Let an arbitrary duration calculus formula (j) be given. 

We now construct the IL formula H(p. Let Pi, . . . , P/ be the state variables 
occurring in (j), and let S be the set of state expressions which can be generated 
from these I state variables. 

We consider equivalence classes of S as follows: 

[5] = {S' G 5 I 5 5' m propositional logic } , 



for SeS. 
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Furthermore, let S= be the set of equivalence classes: 

= {[5] I 5 e 5} . 

The size k of S= is the number of Boolean functions in I variables, i.e. k = 2 ‘^\ 
We select k temporal variables vi,. . .,Vk and put them in one-to-one cor- 
respondence with the equivalence classes. We can therefore index the selected 
temporal variables with equivalence classes. 

For the axioms DCAl - DCA 5 and for the two theorems DCl and DC2, 
we construct seven finite sets of IL formulas: 



Hi 


= {*^[0] = 0} , 








%2 


ID 

II 








Hz 


= {i'lS] > 0 1 [ 5 ] € <S=} , 








Hi 


= +«^[S2] = ^^[SiVS2] 


+ «[5 


> 

to 




Hi, 


= {(Va;)(V 2 /)(((t;[s] =x)^ 




= y)) (w[s] = 


x + y)) 1 [S]es^}, 


He 


= {[1 V (true'^|[u[5]]) V 


(true 


1 [5] 


es^}, 


Ht 


= {fl V ([w[s]l ^true) V 


(hh 


s]l '"true) 1 [5] 


es=}, 



where we define fv^s]J by {v^s] = ^) A {£ > 0). 

We define 

• H(f, to be the conjunction of all the IL formulas in Tii to Hj, and 

• (f)h to be the IL formula obtained from cj) by replacing each fS hy ^[5]. 

The definition and lemmas below are convenient for use in the complete- 
ness proof. 

Definition. We call a triple (J, V, [ 5 , e]) an H-triple if 
J,V, [b,e]\=nH^, 

i.e. if for any subinterval [c,d] of [ 5 ,e]: J,V, [c,d] |= according to the 
semantics of IL. 

Notation: When an interpretation J to temporal variables is given in the 
present context, we write y_ for J{v). 

Lemma 5.1 Given an H-triple (J^, V, [6, e]), then 

(*) [c, d\ = {d-c)- [c, d\ , 

(ii) 0 < ^[ 5 ] [c, d] < d - c , 

{in) v^s^][cA <«[SivS2)[c,f^, 

{iv) i/u[5][6,e] = (e - h), then U[s][c,(i] = (d - c) , 
for any S, 81,82 G <S and any subinterval [c, d] of [b, e]. 
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Proof, {i) and (ii) are trivial, and {iv) can be proved through We give 
below a proof of (Hi). 

Since -i5i V {S\ V 52 ) is a tautology, we have from P 2 the result that 

= (d - c) = £[-n5iV(S'iV52)][^’^ • 

From ?^ 4 , we have 

+l'[SiVS2]['^’^ = :?^[-.SiV(SiVS2)][*^’^ +«i[-.SiA(SiVS2)][‘^’^ • 
Using (i) and ?i^ 2 , we obtain 

(d-c) -t;[s^][c,d] + i;[s^vS 2 ][c,cq = (c* - c) + U[^s^A(SivS 2 )][c>cq , 
which gives 

V.[S^][cA <^'[SiVS 2 ][c,<^, 

since ^[^ 5 ^ a(Si VS 2 )] > 0 by 7^3 • □ 

Lemma 5.2 Given an arbitrary H -triple V, [b,e])^ where b < e, then for 

any S ^ S, there is a finite partition b = to <ti < • - <t^ — e of\b,e] such 
that 

either J, V, ti] H Iv^s]} or J, V, \= , 

for i = 1 , . . . ,n. 

Proof. For any t : b < t < e, there are (by 'Hq and Hy) t' and t" such that 
b < t' < t < t" < e and 

( 1= fnis]! or J,V,[t' ,t] \= lv[-^s]i ] 

< and > . (5.1) 

[j,V,[t,t''] \= |Tt;[s]l or J,V,[t,t"] |= J 

Thus, there is an open interval covering t, and the closed interval 

has the above property (5.1). 

For the left end point 6 , there is, by 'Hr, a f such that b <t" <e and 
J,V,[6,nhNs]lor J,V,[6,n>=r«hs]l. (5.2) 

We can select an arbitrary t' < b. Thus, there is an open interval (^^^") 
covering 6, and the closed interval [5, t"] has the above property (5.2). 
Similarly, for e, there is, by 'Hq, a. t' such that b <t' < e and 

1= fn[ 5 ]| or J,V,[t',e] \= [w[^s]l • (5-3) 

We can select an arbitrary t" > e. Thus, there is an open interval (t' ,t") 
covering e, and the closed interval [t',e] has the above property (5.3). 
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So we have an infinite collection of open intervals covering the closed and 
bounded interval [6, e]. Then, by the Heine-Borel theorem, there is a finite 
sub-collection C = of the open intervals covering [6, e], where 

any li (1 < i < m) has the property (5.1), (5.2) or (5.3). 

We now carry out the following steps in order to find the finite partition. 

Step 1: Select the open interval U = (ai,bi) from C covering b. Then the 
closed interval [6, 6^] satisfies (5.2): 

J,V,[b,bi] 1= [v[s]l or J,V,[b,bi] |= 

Step 2: Stop if bi = e. Otherwise, bi < e. Select an open interval Ij = {aj^bj) 
from C covering bi. Since bj < e, the closed interval [bi^bj] will (by (5.1) and 
{iv) of Lemma 5.1) satisfy one of 

1- J 5 V, t= 5 

2. JT, V, [bi, bj] 1= , 

3. J,V,[bi,m] \= and J,V,[m,bj] ^ 

for some m : bi < m < bj , 

4. J,V,[bi,m] ^ and J,V,[m,bj] ^ lv[s]l, 

for some m : bi < m < bj. 

Repeat Step 2 until a partition of [6, e] is achieved. This terminates, since 
there is only a finite number of open intervals in C. □ 

Lemma 5.3 An H -triple {J,V, [b,e]), where b < e, induces a DC interpre- 
tation X such that for every S £ S and t £ [6, e), 

n / .\ f I5 tf t £ [ti—i , ti) and J , \ti—\, ti\ |= f'^[5]l 

^ ~ 1 0, ift£ [ti-i,ti) and J,V, [ti-i,ti] |= 

where b = t^ < t\ < — ' < tn = e is a partition of [b, e] satisfying 
J,V,[ti-i,ti] ^ lv[s]l or J,V,[ti-uti] ^ , 

for i = 1 , . . . ,n. 

Proof. Define an interpretation X as follows. For any state variable Q ^ S 
and t £ Time, let Qx{t) = 0. Furthermore, for any state variable P £ S, let 
b = to < ti < ‘ ‘ tn = e he 3i partition of [b, e] for P given by Lemma 5.2. 
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We define 

, , f 1, if ti-i <t <ti and J ,V |= [v[p]] for 1 < i < n 

' ^0, otherwise. 

Each such function has only a finite number of discontinuity points in any 
interval, so X is indeed an interpretation in DC. 

We prove the remaining parts of the lemma by structural induction on 
5. Assume S E S. The cases where 5 is 0, 1 or P are trivial, so consider the 
following cases: 

Case: S has the form -i5'. 

Let 6 = ^0 < ^1 < • ' ‘ < tn = e he di partition of [6, e] for 5' given by 
the induction hypothesis. This can also be regarded as a partition for -i5', 
as ^ S' . 

Consider an arbitrary t {b <t < e). By definition, = 1 — 

Let ti-i <t <ti for some i G {1, . . . , n}. 

If J,V,[ti-i,ti] 1= then - 0, as we have = 1 

from the induction hypothesis. 

If v7, V, 1= then Sj(t) = 0 by the induction hypothesis. 

But then {-^S')x{t) = 1 as required. 

Case: S has the form S' V S" . 

We combine the two partitions of [6, e], for S' and 5", given by the in- 
duction hypothesis to obtain a finite partition h — to < ti < • • • < ^^ = e, 
where exactly one of the four formulas iri;[ 5 ']l A A , 

A or A lv[s"]i will hold in each section [U-i^U]. 

Therefore, using the induction hypotheses for S' and 5", each section 
[ti-i,ti] of the partition will fulfill one of the following cases: 

(^) U[s'] = U.[S"] = U - U-i and Sj{t) = S'x{t) = 1, i.e. (S' V S")x{t) = 1, 

for ti-i <t<ti. 

i'^i) = ^[-, 5 "] = ti~ U -1 and S^it) = Sj{t) = 0, i.e. {S' V S")x{t) = 0, 

for ti-i <t<ti. 

(Hi) = ti - ti-i, = ti - ti-i^ S'j{t) = 1 and Sj{t) = 0, i.e. 

(S' V S")x{t) = 1, for ti-i <t <ti. 

{iv) = ti - ti-i, v^s"] = U - U-i, S'j{t) = 0 and S'^{t) = 1, i.e. 

(S' VS")x(0 = l,for U.i <t<U. 

For case (i), we must prove that J ,V,[ti-i,ti] |= From 

Lemma 5.1, 

0 ^ ^j-^/ y^//j [^ 2 — 1 , ^ ti ti—i and 0 ^ /s^gn'^\ti—\^ti^ ^ti ti— 1 , 

so it follows from XL 4 that 

T[5'v5"][^«-l5 ~ ^i-1 * 
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Using the definition of 5 we have the result that 

J,V, [U-1,U] h [^[5'VS"]1 • 

For case (ii), we must prove that ^7, V, [U-i? N f'^[^(S''v5")]l • From 
Lemma 5.1, 

^ 0 and ^ 

V[S'][U-uU\ = 0 and V[s-][U-i,U] =0. 

It follows from that V[s>vS''][U-uU] = 0. Therefore, by Lemma 5.1, 

~ “ ^i-1 

and, hence, 

J,V,[U-l7i] \= [^h(5'v5")]l • 

For case (in'), we must prove that 7^, V, U] |= Since, by 

Lemma 5.1, we have 

lZ[5'][^i-l7i] ^ ^ ii “ ^i-1 ? 

it follows that — U 15 be. 

7,V,[U-i,U] 1= [^[S'v5"]l • 

For case (iu), the proof is similar to that for the case (Hi). □ 

Lemma 5.4 For a given H -triple (7,V,[5,e]), let X be an interpretation 
given by Lemma 5.3. Then for every S eS and interval [c,d] C [b,e], 

msi[cA = ^s][cA- 

Proof. Suppose c = d. Then X[/5'l[c,d] = 0, and ^[ 5 ][c,d] = 0, since we have 
from Lemma 5.1 the result that 0 < ^[ 5 ][c, d\ < d — c. 

Now suppose that c < d. Since {ff , V, [5, e]) is an iJ-triple, so is (7^ , V, [c, cf|). 
Let c = to < ti < - - < tn = dhe a> finite partition of [c, d] for 5. The inter- 
pretation X given by Lemma 5.3 satisfies the condition that for t G [c, d), 

c m ^ ^ and J,V,[U-i,U] N Hs]l 

^ ~ \ 0 , iftG [U-i7i) and J,V, [U-i,U] \= 

Thus, 

f^\_^Sx{t) dt = V[S][l^i-liU] 5 
for i = 1 , . . . ,n, and by 7 ^ 5 , 

n 

I[/51[c, d\ = f^Siit) dt = Y^ M[s][*i-i> ii] = «[S][c, d] • 

i—1 



□ 
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Let (j)h be the IL formula obtained from cj) by replacing every occurrence 
of fS in (j) with 

Lemma 5.5 

\= <P iff \= (j)h . 

Proof. Note that |= (j) means the validity of (j) in DC, and |= (t)h 

means the validity of (j)h in IL. 

We first prove that |= (j) implies |= => (j>h- Suppose that 

^ ^ (l>h , 

i.e. there is an i7-triple {J, V, [6, e]) such that J, V, [b, e] ^ (j)h> By Lemma 5.4, 
there is a DC interpretation X such that for any S E S and [c, d] C [6, e], 

I|/51[c,d] = t;[s][c,d]. 

Since JT, V, [6, e] ^ (f)h, we have the result that X, V, [6, e] ^ </>, and hence 

¥= 4 >- 

To prove the other direction, i.e. \= => (j>h implies |= (/), suppose 

that 



(t>, 

i.e. there are a DC interpretation X, value assignment V and interval [h,e] 
such that X, V, [6, e] ^ (j). Let us construct an IL interpretation J: 

^S][c,d] =mSj[c,d\ 

for all 5 G and any interval [c, d] . 

By construction, we have from X, V, [5, e] ^ 0 the result that 

J,V,[b,e]^cl>h 

and, from Theorem 3.2 (soundness), V, [5, e] |= So ^ {^H(p) => 4>h- 

□ 

The relative-completeness theorem can now be proved. 

Theorem 5.1 (Relative completeness) For every formula (j) of DC, 

\= 0 implies XCdc b • 

Proof. Suppose 0. By Lemma 5.5, we obtain |= => (l)h- Let H be 

obtained from by replacing each V[s] by fS. Then {DH 0) G XCdc and 

XCdc^^H^cj). 

We have the result that is a conjunction of a finite number of instances of 
DC axioms and DCl and DC2, and, by PL and IL4, we therefore have 

h OH. 



A deduction of XCdc b 4> follows by applying MP. 



□ 
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Remark. 

1. Note that the relative-completeness result was achieved using the theo- 
rems DCl and DC2 instead of the two induction rules IRl and IR2. It 
is, however, convenient to have the two induction rules available when 
conducting proofs. 

2. Reference [38] presents another completeness result of DC. It replaces 

IRl and IR2 by an cj-rule to axiomatize the finite variability of states, 
and proves the completeness of the revised DC for an abstract domain. 
See Sect. 11.5 for more explanation of this completeness. □ 




6. Decidability 



In this chapter we consider a subset of formulas of DC for which the satisfia- 
bility of a formula is decidable. Since a formula 0 is valid iff the formula ->(/) 
is not satisfiable, we can decide whether a formula in the subset is valid as 
well. The decidability results presented here are based on [167]. 

We investigate now the set RDC (restricted duration calculus) of formulas 
generated by 

1. if 5 is a state expression, then [5]| G RDC, and 

2. if (f),'ip e RDC , then -u/), (/> V '0, (/> ^0 G RDC. 

We first present a discrete-time interpretation of RDC together with de- 
cidability results for the satisfiability of formulas for discrete time. It is also 
shown that RDC is expressive enough to formalize an interesting case study 
under the discrete-time interpretation. We then present a decidability result 
for RDC with regard to continuous time, which involves more complication. 



6.1 Discrete-Time Duration Calculus 

What shall we consider to be a discrete-time duration calculus? 

Even when the set of natural numbers N = {0, 1, 2, . . .} is chosen as the 
discrete structure of the time, questions remain concerning restrictions on 
interpretations, intervals, and the truth of formulas. 

First of all, we require, for every interpretation 

X : SVar (Time ^ {0, 1}) , 

that the set of discontinuity points of each Pj {P G SVar) must be a subset 
of N. An interpretation satisfying this property is called a discrete interpre- 
tation. 

Likewise, we shall consider only discrete intervals 
[b,'e] G Intv, 
where ft, e G N. 

Finally, for a given RDC formula 0, we consider its truth value for discrete 
intervals and discrete interpretations only. 
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As a consequence of this, the definition of chop is different from 

that given in Chap. 2 for continuous time. Assuming that X is a discrete 
interpretation and [6, e] is a discrete interval, we define 



X, [6, e] 1= iff 



J X, [6, m]\= (f) and X, [m, e]\= ip, 1 
^ for some m G [6, e] where m G N J 



Here we leave out value assignments (V) from the definition, since we have 
no global variables in formulas of RDC. 

The other semantic clauses are not given, as they remain as they were in 
Chap. 3. However, from the semantics, we can derive 



[= [S] 

iff (e - 6) > 0 and for any t^b <t < e and ^ ^ N: X|5](t) = 1. 

An RDC formula (j) is valid for discrete time iff X, [6, e] \= (j) for every 
discrete interpretation X and every discrete interval [fe, e], and (j) is satisfiable 
for discrete time iff X, [6, e]\= (j) for some discrete interpretation X and some 
discrete interval [&, e]. 



6.1.1 Discrete Time Versus Continuous Time 

One can ask the question of what difference it makes to consider a discrete- 
time domain instead of a continuous-time domain. 

For discrete time, we can define £ = 1 in RDC as follows: 

£ = i^ [11 A-(rii^rii). 

We can do this since £ = I is the unit of time in the discrete-time domain; it 
is not a time point, and cannot be divided further into smaller time periods 
either. 

However, £ = 1 cannot be defined in continuous-time RDC where £ is 
syntactically excluded, as we shall prove in Sect. 6.2 that continuous-time 
RDC is decidable, whereas continuous- time RDC extended with ^ = 1 is 
undecidable, as we shall see in Sect. 7.2. 

There are also formulas of RDC which are valid for continuous time, but 
not valid for discrete time, e.g. 

r5i^(r5i-f5i). 

This formula is not true for a discrete interpretation over a unit interval, 
where S has value 1 throughout the interval. 

In the following sections we shall present algorithms to identify the formu- 
las of RDC which are valid for discrete time and the RDC formulas which 
are valid for continuous time, since the validities of formulas of RDC are 
decidable for both discrete and continuous times. However, owing to the un- 
decidability results presented in the next chapter, there will be no algorithms 
to do so for DC formulas in general. 
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6.1.2 Expressiveness of Discrete-Time RDC 

From the proof of the decidability result for discrete-time RDC given in 
Sect. 6.2, it is not difficult to conclude that discrete-time RDC has the same 
expressiveness as a formulation in terms of simple timed automata, where 
each transition takes place at a discrete time point and consumes one time 
unit. This generalizes to the case where the time consumed by a transition is 
within specified upper and lower bounds, including infinity and zero. 

This generalization follows from the following equivalences, which imply 
that 0 < fP A fP < k, for example, is expressible in discrete-time RDC: 

£ = 0 ^ ->[11 

fP = 0 [-P1 V£ = 0 

£ = 1 [1] A^([ll 

fP = l ^ (fP = 0)-([P]A£=l)-(fP = 0) 

fP = k + l 4^ (fP = k)-(fP = l) 

fP > k <=> (fP = k) ^true 

fP>k ^ {JP>k)A-^{JP = k) 

JP<k -^{fP>k) 

fP<k ^ {JP<k)A^{fP = k), 

where k eN and true can be defined, say, as [1]] V -< |[1]| . 

Remark. Of the above definitions, only the first two are correct for continuous- 
time RDC, but the rest of them are not. The expressiveness of continuous- 
time RDC is, unfortunately, equivalent to that of untimed automata. See the 
proof in Sect. 6.3 for details. n 

Regarding the gas burner example, it is obvious that the two design deci- 
sions {Desi and Des 2 ) can be expressed in discrete-time RDC. However, the 
requirement GbReq involves inequality between state durations, 

20 /Leak < £ . 

In the next chapter, it is proved that after fSi = JS 2 is added to RDC the 
satisfiability problem of this extended subset becomes undecidable for both 
discrete and continuous time. As a corollary of the decidability of RDC and 
the undecidability of the extended RDC, equalities (and therefore inequali- 
ties) of state durations cannot be expressed in RDC either for continuous or 
for the discrete time. 
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Fortunately, in Sect. 3.5, it was shown that the requirement GbReq can 
be refined into 

a(£ < 30 ^ /Leak < 1) , 

which can be expressed in discrete-time RDC. 

Thus, we can mechanically check the validity of 

(Desi A Des 2 ) ^ Ll(£ < 30 => /Leak < 1) , 

for discrete time (see Lemma 3.5), following the decision algorithm developed 
in the next section. 



6.2 Decidability for Discrete Time 

We show that the satisfiability of a formula (j) G RDC for discrete time is 
decidable by defining a regular language ((/>) such that 

(j) is satisfiable for discrete time iff (0) is nonempty. 

Let S be the (finite) set of all state variables occurring in (j). Then the 
alphabet E of the language Ci (0) is the set 

T = V{S) 

of subsets of S. A letter a £ E can denote the state expression (called the 
basic conjunct) of S 

A-P'' A -c. 

Pea Qe{S\a) 

which asserts that all state variables in a have value one, while those of S 
not in a have value zero. From now on, we shall use a to stand for both a 
letter of E and the basic conjunct of S denoted by that letter. 

A state expression S of 0 can be transformed into a disjunctive normal 
form of state variables of S. Suppose 5 \/^=i where n > 0 (when 5 is 

0, n = 0). Then S can be denoted by a subset of letters of T, {ai, . . . , a^}, 
abbreviated to DNF{S). 

With each formula (j) we associate a regular language £i((/)) C X**, such 
that (j) holds on a discrete interval [6, e] for a discrete interpretation X iff 
there is a string v G >Ci((/>) which corresponds to the interpretation I on 
[fc, e]. Thus, the formula (j) is satisfiable for discrete time iff the language 
((/)) is nonempty. 

Since the emptiness of a regular language is decidable, we obtain a pro- 
cedure for deciding the satisfiability of 0. 
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The definition of C\{(f)) is quite straightforward. Let every letter of U 
correspond to a unit interval. Therefore, the formula |[5]| is associated with 
the positive closure {DNF{S))^ ^ which means that the presence of state S 
remains for an arbitrary positive number of time units. Disjunction V is 
denoted by union, negation -i by complement, and chop by concatenation^ 
where concatenation is defined by: 

L 1 L 2 = {vu\v G Li and u G L 2 } . 

Since {DNF{S))~^ is a regular language, and the family of regular languages 
is closed under union, complement and concatenation [65], every formula can 
be denoted by a regular language. More precisely, 

A ([51) = {DNF{S))+ 

CiiipWif)) = Ci{ip) 1) Ciitl)) 

■ 

We define the string v = ai-*-aAr G FJ* to correspond to a discrete 
interpretation X oicj) iiX\ai\{t) = 1 for t G (i — 1, i), i G {1, • • • , N}. (If A/' = 0, 
then V is the empty string which corresponds to any discrete interpretation 
on the point interval [0,0].) 

Lemma 6.1 Let a formula (f) G RDC , a discrete interpretation X of (j), and 
its corresponding string v = ai - - on be given. Then 

X^ [0, AT”] \= (j) for discrete time iff v belongs to Ci{(j)). 

Proof. By induction on the structure of (j). The “if” and “only if” directions 
must be proved jointly because of the complement (-i) case. 

Base case: 0 is f5]| . 

1. “Only if”: Suppose f5]| holds on [0,iV] for X. We have A^ > 0, and for 

every i G {1, . . . , A^}, T|5](t) = 1 for t E {i — 1, i). Since v = ai • • • 
corresponds to X, for every i G and t G (i — l,i), we have 

the result that X[ai}{t) = 1. So ai G DNF{S) by 5 \/aeDNF{S)^- 
Therefore v G DNF{S)^. That is, G £i([51). 

2. “If”: Suppose v G £i([5]|). Then v G DNF(S)'^, and hence N > 0. 
Since v corresponds to X, we have X|ai](f) = 1 fori G {1,...,A^} and 
t e {i - l,i). So X[S}{t) = 1 for ^ G (i - l,i) and i G {1, . . . , A^}, because 
Oi G DNF{S) for i G {1, . . . , N}. Thus, we can conclude X, [0, A^] |= 
from the semantic definition. 
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Inductive case: (j) is 

1. “Only if”: Suppose -i'0 holds on [0, iV] for X. We have the result that ip 

does not hold on [0,N] for X. By the induction hypothesis, v ^ Ci{'ip). 
Therefore v G (X** \ Ci{'ip)). Hence v G because we have that 

2. “If”: Suppose v G Ci{->'ip), i.e. v ^ Xi(^). By the induction hypothesis, 
'll; does not hold on [0, N] for X. Thus holds on [0, N] for X. 

Inductive case: (p is xp'^^p. 

1. “Only if” : Suppose xp holds on [0, N] for X. We have M G {0, . . . , N} 
such that xp holds on [0, M] for X, and ip holds on [M, N] for X. Since v 
corresponds to X on [0, AT'], ui = ai • • • um corresponds to X on [0, M] and 
V 2 = ttM+i • • • utv corresponds to Xm on [0, AT' — M], where the definition 
of Xm refers to Lemma 3.1, i.e. 

luipm = x[Pi(^+M), 

for any P G SVar. By Lemma 3.1, (p holds on [0, AT' — M] for Xm- There- 
fore, by the induction hypothesis, vi G Ci{xp) and V 2 G Ci{ip). Thus, 
V = viV2 e Ci{xp)C2{ip) = Ci{xp^ip). 

2. “If”: Suppose v G Xi{xp "^<p). There must be Ui = ai • • • um G Xi(V^) and 

V 2 = um+i • * • uat G such that u = viV 2 . Then vi corresponds to X 

on [0,M] and i ;2 to Xm on [0,AT' — Mj. By the induction hypothesis, xp 
holds on [0, M] for X and (/? holds on [0, A^ — M] for Xm- By Lemma 3.1, 
ip also holds on [M, AT'] for X. Therefore we can conclude that (p holds on 
[0, N] for X. 

Inductive case: (p is (xpV ip). This case is left for those readers who are inter- 
ested in the details of the proof. □ 



It is obvious that for every string v of length N in X* there is an in- 
terpretation X oi (p such that v corresponds to X and, conversely, for every 
interpretation X of (p and interval [0, AT] there is a string v of length N in X* 
which corresponds to X. By Theorem 3.1 and Lemma 6.1, we have: 

Lemma 6.2 A formula (p G RDC is satisfiable for discrete time iff the reg- 
ular language C\ {(p) is nonempty. 

Theorem 6.1 The satisfiability of RDC formulas for discrete time is decid- 
able. 

We now show how to mechanically check the validity of RDC formulas 
for discrete time. 
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Question 1: Is the formula ([PI ^ [Pi) [P1 valid for discrete time? 

Since P is the only state variable occurring in the formula, the alphabet 
r = {{P},{}}. Wehave 

(|[P1 ^[PD [P] is valid 
iff -i(([Pl ^ [PD ^ [Pi) is not satisfiable 
iff ([Pi [PD A -'[P1 is not satisfiable 

iff {{P}* I * > 2} n (r* \ {{py I i > 1}) = {} . 

The last equality holds. Therefore, the formula ([Pi ^[Pl) => [Pi is valid 
for discrete time. □ 

Question 2: Is the formula [Pi ([Pi ^[Pl) valid for discrete time? 
Again, the alphabet is = {{-P}? {}}• We have 

rpi^(rpi^rci)isvaiid 
iff [Pi A -I ([Pi ^ [Pi ) is not satisfiable 

iff£i(rpi)nPiHrpi^rpi)) = {} 
iff A(rPl) n (P* \ £i(rPl -[PD) = {} 
iff£i(rpi)c£i(rpi^rpi) 

iff {{P}* I * > 1} C {{Py \i>2}. 

The last inclusion is false, as the letter {P} belongs to {{P}* I ^ > 1}? but not 
to {{P}* M > 2}. Namely, for a discrete interpretation and a unit interval over 
which P has value 1 under the interpretation, the truth value of the formula 
[Pi => ([Pi ^[Pl) is false. Thus, the formula [Pi ([Pi ^[Pl) is not 
valid for discrete time. □ 

Using this technique, we can decide that the formula 
{Desi A Des 2 ) => 0(^ < 30 ^ /Leak < 1) 
is valid. 

It is, however, more interesting that the phase automaton of a more “real- 
istic” gas burner specification considered in [127] can be expressed in discrete- 
time RDC as well. This phase automaton represents an implementation of a 
set of requirements for the gas burner which can also be expressed in discrete- 
time RDC. It was proved in [127] by the axioms and rules of DC that the 
phase automaton implies the requirements. In fact, the algorithm developed 
in this section can carry out this proof mechanically for the discrete-time 
domain. 
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6.3 Decidability for Continuous Time 

Consider the formula |[P]| (|[F]| ^ |’P]|), which is valid for continuous 

time, but not for discrete time. 

Recalling the answer to the question of its validity for discrete time given 
in Sect. 6.2, we have 

fpi is valid iff £i(rFi)cA(rpi^pi). 

Because {P} G £i(|[P]|) and {P} ^ £i(|[Pl ^fPl), the inclusion property 
is not satisfied. In the discrete-time domain, the intuitive interpretation of 
{P} is that state P lasts for one time unit. 

However, a letter, say {P}, cannot be interpreted as lasting one time unit 
in a continuous-time domain. But with a closure property, it is possible to 
reuse ideas from the discrete-time construction to achieve a decidability result 
for continuous time. 

A language L over the alphabet E is called contraction closed if 
vaaw G L implies vaw G L , 
for any v,w e E* and a E E. 

The language "^([PD = ^ is not contraction closed, 

since {P}{P} belongs to the language and {P} does not belong to the lan- 
guage. 

Let IL denote the contraction closure of L, i.e. the smallest contraction- 
closed set containing L. By a simple construction on finite automata, we can 
establish the following lemma. 

Lemma 6.3 If L is regular, then so is \,L. 

Proof. Let ^ be a finite automaton accepting L. We give here the main ideas 
behind a construction of an automaton A' accepting \.L. A' has the same 
states (including the same initial and final states) and the same alphabet as 

A. 

The transition relation of A^ is defined as follows. For any states q and q' 
and any letter a, 

there is a transition from q to q' on a in 
if and only if there exist states , . • . , such that q — q^^ q^ — q' and 
there is a transition from qi to qi^^i on a in for 1 < i < n. 



□ 

On the basis of Lemma 6.3, we can now construct a regular language 
£ 2 ( 0 ) for an arbitrarily given formula (j) G RDC in a way similar to the 
procedure used for discrete time: 
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£2(rSl) ={DNF{S))+ 

V V’) = C2i^p) U £2{tp) 

C2h^) =S*\C2i^) 

C2{(f'^1p) = l-{C2{(p) C2i'lp)) . 

We prove in the following lemma that the above regular languages are 
contraction closed. 

Lemma 6.4 For any (f) G RDC , C 2 {(l)) is contraction closed. 

Proof. We prove the lemma by induction on the structure of 0. However, set 
subtraction does not preserve the contraction closure property. For example, 
U* \ {a} is not contraction closed for any a of U. We therefore introduce 
the auxiliary notions of expansion closed and fully closed. A language L is 
expansion closed if 

vaw G L implies vaaw G L , 

for any v,w E U* and a E E. L is fully closed if L is both contraction and 
expansion closed. 

It can easily be proved that {DNF is fully closed, and the operators 
U, \ and 4- preserve the full-closure property. Thus, £ 2 ( 0 ) is fully closed for 
any 0 G RDC. □ 

Let Li and L 2 be contraction-closed languages over E and v Ei{LiL 2 )- 
The following lemma is easily established. 

Lemma 6.5 Either there are v\ E L\ and V 2 E L 2 such that v = V 1 V 2 , or 
there are vi E Li, V 2 E L 2 and a E E such that v = v[av 2 , where v\ = uja 
and V 2 = av' 2 . 

In order to prove that (j) E RDC is satisfiable for continuous time iff jC 2 {(f>) 
is not empty, in the continuous-time domain, we introduce the correspondence 
between an interpretation X and a string v. Since a letter of v no longer 
represents a unit of time, the correspondence depends on a partition of the 
interval considered, which is derived from the finite variability of X. 

Given a formula </>, a partition of an interpretation X over an interval [0, e] 
is a collection of reals 0 = bo < bi <-•< Bn = e such that X[P]{t) is 
constant on (6j_i, 6^) for every state variable P of (j). From the assumption of 
the finite variability of states, it is obvious that for any (/), X and [0, e] there 
exists a partition. (Note that in the special case of discrete time we have 
hi E N.) 

The string v = a\ - • on ^ E* corresponds to the interpretation X on [0, e] 
with partition 0 = &o < < • * * < = e if X\ai\{t) = 1 for t E (6i_i, 6^) 

and i E {!,..., N}. If = 0, then v is the empty string and e = 0. 

By an induction proof on the structure of (j)^ we can establish the following 
lemma. 
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Lemma 6.6 Let a formula (j) G RDC , an interval [0,e], an interpretation X 
of (j) with partition 0 = ho < b\ < • • • < and a corresponding string 

= tti • • • On he given. Then X, [0, e]\= (j) iff v belongs to X2 (</>)• 

Proof. We can present a proof similar to that of Lemma 6.1 by induction 
on the structure of <j). The important changes are in the inductive case: (f is 
-0 We now present the details of the proof for this case. 

Let 0 be ^ 

“Only if’: Suppose holds on [0,e] for X. There must be an m G [0, e] 

such that t/j holds on [0, m] for X and (p holds on [m, e] for X. 

First, the cases m = 0 and m = e are straightforward: they can be dealt 
with by using the induction hypothesis for and respectively. 

The case where 0 < m < e is divided into two subcases: 

Subcase: there is an M G {1, . . . , A/'} such that m = bM- 

By applying similar reasoning to that used in Lemma 6.1, we obtain the 
result that the string ai • • • om corresponds to X on the interval [0, m] with 
partition 0 = bo < bi < • • • < bM = Tn, the string um+i • • • Uiv corresponds to 
Xm on the interval [0, e — m] with partition 0 < bu — 'm < ••• <b^ — m^ and 
then V G £2 (V^)>C2 ((/?). Since C2{'if)C2{<p) C l{C2{'ip)C2{p^)) by the definition 
of I, we have the result that v e i{C2{i^)C2{^)) = C2{'ip^(p), and thus the 
proof for this subcase is completed. 

Subcase: there is an M G {1, . . . , N} such that &m-i < m <bM- 

Then, by the induction hypothesis, = ai • • • um-iOm ^ £2('0), because 
vi corresponds to X on [0,m] with partition 0 = 60 < ^1 < • • * < bM < rn, 
and V2 = clmO'M+i ' ’ ' ciN ^ because V2 corresponds to Xm on in- 
terval [0,e — m] with partition 0 < bj^ — < • • • < bN — rn. Thus, we 

have V\V2 — cli ' ' ' clm-iclmclmclm+i ’ " cln ^ £2(V^)£2(v^), and therefore 
U = Ui • • ' aM-lCLMQ'M+l ' -aN ^ 4.(£2(^)£2(v^)) = £2(^^^)- 

“If”: Suppose v G £2(^'^^) = f (£2(V^)£2(v^))* By Lemmas 6.4 and 6.5, 
there are two subcases. 

First, consider the subcase v — U1U2, where 



vi= ai--aM ^ >^2('0) and V 2 = um+i - -aN e • 

Then, if we choose m = bM, vi corresponds to X on [0,m] with partition 
0 < 61 < • • • < 6 m = ^ and V 2 corresponds to X^^ on [0, e - m] with partition 
0 < 6 m+i — m < ••• < bj^ — m = e — m. By the induction hypothesis and 
Lemma 3.1, -0 holds on [0,m] for X, and ip holds on [m,e] for X, so 'ip^ip 
holds on [0, e] for X. 

Second, consider the subcase v — v[aMV 2 ^ where 



Vi = v[om = ai • • • Am G £2('0) 
and V2 = clm'^2 ~ • "Cln ^ • 
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If we now choose m = (&m-i + corresponds to X on [0,m] with 

partition 0<6i < ••• <6 m-i <m, and V 2 corresponds to Xm on [0, e — m] 
with partition 0 < Bm — 'nn < ••• < — m = e — m. By the induction 

hypothesis and Lemma 3.1, ^ holds on [0,m] for X and ip holds on [m,e] for 
X, so -0 holds on [0, e] for X. □ 

It is trivial to show that for any string v of length N, given an interval 
[0, e] and a partition of [0, e] with N sections, there is an interpretation X such 
that V corresponds to X on [0, e] with the given partition. Conversely, for any 
interpretation X, given an interval [0,e] and a partition of [0,e], there is a 
unique corresponding string u G X**. Hence, by Lemma 6.6 and Theorem 3.1, 
we can prove: 

Lemma 6.7 A formula 0 G RDC is satisfiable for continuous time iff the 
language £ 2 ( 0 ) is not empty. 

Since £ 2 ( 0 ) is a regular language, we have: 

Theorem 6.2 The satisfiability of RDC formulas for continuous time is 
decidable. 



6.4 Complexity, Tools and Other Decidable Subclasses 

The efficiency of the above decision procedure depends not only on the de- 
cision algorithm for the emptiness problem of a regular language, but also 
on the constructions of the regular language. Each negation occurring in the 
formula may cause an exponent expansion of the construction. The authors 
of [142] have proved that the complexity of this decision procedure is nonele- 
mentary. So the worst case is very poor indeed. 

In [142], the decision procedure was implemented and used to prove the 
correctness of Fischer’s mutual exclusion protocol. The results were not too 
bad. It took, for example, approximately 12 minutes to verify a formula con- 
sisting of 3775 characters on a DECStation 5000-240 with 128 MB of memory. 

The proof assistant tool for DC described in [143] also supports the use 
of this decision procedure. 

In the literature, the decidability issue of DC has been investigated fur- 
ther. In [105], after quantifications over states are introduced into RDC (the 
result is called qualified discrete-time duration calculus, QDDC, in [103]), 
the satisfiability of formulas is still decidable. This decision algorithm was 
implemented as a tool called DC VALID. 

References [32, 33, 131] proved that the satisfiability of an RDC formula 
for a discrete interpretation but over a continuous interval is still decidable. 
References [32, 33] also extended the decidable class of RDC for continuous 
time by including JS = k, but with a restriction on the finite variability such 
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that the number of discontinuous points of any state in any unit interval has 
a fixed upper bound. 

In [41], a decidability result was presented for a variant of DC where nega- 
tion is removed from RDC but an iteration operator is introduced together 
with the inequalities i> k and £ < fc, where k ^N. 

In [104], CTL* ([29]) was extended with QDDC, and it was shown how the 
extension could be reduced to CTL*. On the basis of this reduction, another 
model-checking tool, CTLDC, was implemented. 

In [13, 106], the digitization of the validity problem of DC formulas and its 
reduction to QDDC were investigated, and results were obtained concerning 
how to check the validity of DC formulas (for continuous time) by using 
DCVALID. 
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All the disappointing news comes in this chapter: even for a very restricted 
subset of DC formulas, it is undecidable whether a formula in the subset is 
satisfiable. 

The general technique used to show these results is to reduce the halting 
problem of a two-counter machine to the satisfiability of formulas belonging 
to the subset under consideration. The main results are taken from [167]. 



7.1 Extensions of RDC 

Below we define three different extensions of RDC, called RDCi{r), RDC 2 
and RDC 3 . The extensions seem small, but in later sections we shall establish 
undecidability results (of satisfiability and validity problems) for each of the 
corresponding subsets. 

Hence, each of these extensions marks a border between decidability and 
undecidability. 



7 . 1.1 RDCiir) 

In this extension, we add to RDC the atomic formula 
i — r , 

where r is a real number. 

Hence, the set of formulas RDC\{r), where r G M is a fixed constant, is 
the subset of DC generated as follows: 

1. the formula ^ = r belongs to RDC\{r), 

2. if 5 is a state expression, then fSJ belongs to RDCi{r), and 

3. if (j) and ij) belong to RDCi{r), then so do -k/>, (f)W 'ip, and 

When r is a natural number, we have previously seen from Sects. 6.1.2 
and 6.2 that it is decidable for discrete time whether a formula of RDC\{r) 
is satisfiable. Since ^ = 0 can be expressed by we have the result 

that RDC\{^) is expressible in RDC, and thus the satisfiability question for 
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RDCi (0) is decidable for continuous time. If r < 0 then £ = r is false, which 
is expressible in RDC as well. 

Therefore, the continuous-time domain and r > 0 are assumed in the 
undecidability proof for RDCi{r) given in Sect 7.2. This undecidability result 
illustrates the strength of imposing the precision £ = r on the length of an 
interval for continuous time. 

7.1.2 RDC 2 

In this extension, we allow atomic formulas of the form 

fSl=fS2 

only, where Si and S 2 are state expressions. In the case we can still express 
the formulas of RBC as 

[51 (fS = fl)A^(fl = fO). 

Hence, the set of formulas RDC 2 is the subset of DC generated as follows: 

1. if Si and ^2 are state expressions, then fSi = fS 2 belongs to RDC 2 , and 

2. if (j) and -0 belong to RDC 2 ^ then so do -k/), 0 V t/? and ij; ^-0. 

The undecidability results for this case illustrate the strength of the notion 
of duration for both discrete and continuous time. 

7.1.3 RDCs 

In this extension, we add to RDC atomic formulas of the form 

£ = X , 

where x is a. global variable, and we allow quantification over global variables: 

{3x)4>. 

Hence, the set of formulas RDC 3 is the subset of DC generated as follows: 

1. if 5 is a state expression, then [SI belongs to RDC 3 , 

2. if X is a global variable, then £ = x belongs to RDC 3 , and 

3. if (j) and -0 belong to RDC 3 ^ then so do -<0, (j)^ 0^0 and (3x)0, 

where x is any global variable. 

The undecidability results for this case illustrate the strength of quantifi- 
cation in an interval logic for both discrete and continuous time. 

Remark. For all of the three subsets, we shall use standard abbreviations A, 
and from propositional logic, and □ and O from IL. □ 
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7.1.4 Two-Counter Machines 

The main technique used to obtain these undecidability results is to reduce 
the undecidable halting problem of a counter machine the to satisfiability of 
formulas belonging to the subsets. In this section, we give a brief and rather 
informal introduction to two-counter machines. For a more careful treatment, 
see [11, 65, 96], for example. 

A two-counter machine has an initial label qo, two counters c\ and C 2 
which can hold arbitrary natural numbers from N = {0, 1, 2, . . .}, and a finite 
set of labeled instructions mi . 

The only instructions of two-counter machines are to “increase c\ by one” 
(c]^) and “test c\ and decrease it by one if c\ is not zero” (cf), and similarly 
for C 2 - 

For example, 
qi-.ct ^ qj , 

is an instruction labeled qi. It increases c\ by one and proceeds to the in- 
struction labeled qj. 

Another kind of instruction for ci is 

qi'.c^ ^ qj,qk , 

which is also an instruction labeled qi. It tests whether the value of c\ is 
zero; if so, the machine proceeds to the instruction labeled qj\ otherwise, the 
machine decreases c\ by one and proceeds to the instruction labeled qk. 

A configuration s of a two-counter machine is a triple s — (g^,ni,n 2 ) of 
the current label q and the values ni,n 2 E N of the two counters ci and C 2 . 
The configuration {q, ni.n^) is final if there is no instruction labeled q in the 
machine. 

A computation step of a two-counter machine, s => s', transforms a 
nonfinal configuration s into a configuration s' by means of an instruction of 
the machine as follows (and similarly for C 2 ): 



Instruction 


s => s' 


Q-ct^ qj 
q-ci-^ qj,qk 
g : cf ^ qj,qk 


(g,ni,ri 2 ) {qj,ni + l,n2) 

(g, 0 ,n 2 ) (gj, 0,712) 

(g, Til “i" '' (gA;7^1)^2) 



A computation of a two-counter machine is a (finite or infinite) sequence 
of computations 



cr = So Si S2 • • • , 

where, for any s^ and s^+i in the computation, s^ s^+i by means of an 
instruction of the machine. A computation terminates iff it is a finite sequence 
and ends up with a final configuration. 
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We call So = (^o, 0, 0) the initial configuration^ where is the initial label. 
A two-counter machine starting with the initial configuration halts if all its 
computations starting with (go, 0? 0) terminate. We shall make use of the fact 
that the halting problem for a two-counter machine starting with the initial 
configuration is undecidable [11, p. 78]. This result also holds if we assume 
that the two-counter machine is deterministic. That is, every two instructions 
of the machine are labeled differently, and hence the computation of the 
machine starting with the initial configuration is determined. This result 
still holds even if we assume further that the two-counter machine contains 
precisely one final label qfin, i.e. q^n is the only label which no instruction 
has as its label. 

In the following, we consider an arbitrary deterministic two-counter ma- 
chine M with the initial configuration (go, 0,0), where 

1. go, . . . ,gyin are the labels of M, where go is the initial label and qfin is 
the only final label, 

2. Cl and C 2 are the two counters, and 

3. mi, . . . , m/ are the instructions of M. 



7.2 Undecidability of RDCi{r) 

We reduce the halting problem for M to the satisfiability of a formula in 
RDCi{r) (for r > 0). The encoding of M uses the following state variables: 

• one state variable Qi for each label g^, 

• two state variables Ci and C 2 to represent the counter values, and 

• two auxiliary state variables B and L, used as delimiters. 

Let 

Q — {Qo, • • • , Qfin} 

in the following. 

The main idea is that a machine configuration (g,ni,n 2 ) is encoded on 
an interval of length 4r as follows: 

I Q I Vah\^\ Vah\ 

r r r r 

where Valj represents the value of counter cj. 

This is done so that the nth configuration of a computation occupies the 
interval [4nr, 4(n -|- l)r], n > 0. 
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The representation, Val\ and Va /25 of the counter values is the following. 
Let the value of counter Cj be > 0. Then the interval describing Vali has 
the following form: 

\B\Ci\B\---\B\Ci\B\, 

with Hi sections of Ci separated by B. 

Since this interval is required to have a length r, and since there is no 
bound on the counter value, the time length of each Ci (and B) section must 
be arbitrary small. The denseness of the time domain makes this representa- 
tion possible. This representation was inspired by [3]. 

The reduction must formalize the computation of M as a formula in 
RDCi{r). In particular, we must construct a formula representing the ini- 
tial configuration and a formula expressing how the (n -f l)th configuration 
relates to the nth configuration in the computation. To do so, the following 
abbreviations of formulas in RDCi{r) are useful: 

n = -rii 

true = [1 V [I] 

£ < r = -i((^ = r) '^true) 

£ = 2r = [£ = r)^{£ = r) 

2r < £ = (£ = 2r) ^true 
£ < Sr = -i((^ = 2r) = r) ^true) 

£ = 4r = (£ = 2r)^(£ = 2r) 

£ = 5r = (£ = 4r) ^(£ = r) 

[5r = r5lA(€ = r) 

The formula f 5]] reads “S' has value one for a duration of r” , and the formula 
(j)'^ tp reads “if the interval starts with (p, it must end immediately with |[ ]| 
or with - 0 ” . 

The initial configuration is (^o,0,0), which is represented by the formula 

inih = rQor^fsr-rir^r^r^true. 

State variables must be mutually exclusive: 

Mutexi= /\ n--[PiAP 2 l, 

where Pi , P 2 range over Q U {C \ , C 2 , T}. 
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Certain state expressions have a periodic appearance, since configurations 
are represented on intervals of length 4r. Let 

Per{(j>) = = 4r)) => {{£ = 4r) ^0)) . 

Machine labels, counter values and the separator L have a periodic ap- 
pearance. Let 

Periodic = 

A Per{\C, V BY) A Per{lLY) A Per([C 2 V BY) ■ 

For each instruction m of M we give a formula F(m), encoding the com- 
putation steps performed by m. 

Suppose the machine instruction m is qi : qj. The possible compu- 

tation steps allowed by m are described by a formula 

F(jti) = Fi a F 2 A F 3 A F 4 A -P 5 A Fq , 
where each Fi is defined below. 

From the determinism of M, qj is the only label of the succeeding con- 
figuration that is reached when m is performed. The formula Fi expresses 
this: 



Fi = ([Qir = 4r)) ^ {{£ = 4r) -fQ.V) ■ 



The formula F 2 copies the Ci sections to the same place in the next 
configuration. To encode this process, we use formulas of the form cj) ^ ijj. 
Here 0 characterizes certain configurations whose label is qi, and ^ fixes part 
of the next configuration. The formula is given by 



f2= 



|[Cil ""true' 
A 

i = 4r 



(re'll ^true). 



We can copy the B sections before a C\ section in Val\ to the same place 
in the next configuration using the same technique: 



Fs= 



[B 1 ^[Cil '"true' 
A 

£ = 4r 



ilB} -"true). 



The formulas F 4 and F 5 increase the value of C\ by replacing the last B 
section of Vah with |H|Ci|H| in the next configuration. 
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The formula F 4 handles the case rti = 0: 

(tme-((^ = r)A(rBi-rcii-r5i))); • 

The formula F 5 handles the case ni > 0: 

\=> (true^((£ = r) A ([B] ^ [Cil [B] fLl))) / 

Note that the beginnings of successive L sections are exactly 4r apart, 
and therefore the length of the ^ ^ |[B 1 section in the consequent 

in F 5 is precisely as long as the last |[J5]| section in the antecedent. 

Thus, F 4 A F 5 models the condition that the number of C\ sections is 
increased by one, as desired. 

The formula Fq copies the value of C 2 to the next configuration using the 
same technique as used above: 



[C2I ^true' 

< 3r)^fC2l "" I A 11'-^ 
^ = 4r 



(fC2l -^true) 



Ffi — A 



/|[Bl^true\\ 

rQir^(2r<£<3r)^[5l^ A ^(rSl^true). 

V £ = ir / / 



The formula Periodic takes care of copying the L section to the next 
configuration. 

Every instruction rrn can be encoded as formulas F{rrii) by techniques 
similar to those used above. If this is done, the entire machine is encoded as 
follows: 

l 

Machinei = Mutexi A Initi A Periodic A f\ nF{mi) . 

1=1 

By the construction of the formula Machinei^ we know that the compu- 
tation of M terminates (i.e. the computation is a finite sequence of config- 
urations ending up with a final one) if and only if {Machinei A OfQ/inl) 
satisfiable. 

Theorem 7.1 The satisfiability problem of formulas in RDCi{r) (r > 0) is 
undecidable for continuous time. 

Remark. This result depends on the ability to express precisely the length of 
intervals as ^ = r. One would, however, not obtain a decidable subset if the 
formula I < r was used instead, since I — r can be derived from £ < r as 
follows: 
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i = r = -i((^ < r) V ([[1]| < r))) . 

Thus, we cannot achieve a decidable subset by “relaxing the punctuality” 
from £ = r to i < r, analogously to the result discussed in [7]. We do not 
know whether this is possible when £> r is considered instead of £ = r. □ 



7.3 Undecidability of RDC 2 

We reduce the halting problem for M to the satisfiability of a formula in 
RDC 2 - We give a reduction which works for both the discrete- and the 
continuous-time domain. The following state variables are used in this re- 
duction: 

1. two state variables and C~ for each counter Ci,i = 1,2, and 

2. state variables Q = {Qo, • • • , Qfin} corresponding to the labels of M. 

The intension behind using the state variables for counter Cj, for i = 1,2, 
is that the value of Ci is represented by the value of 

Pt-p- 

on a suitable interval (see below). In the reduction, it is only necessary to 
test whether the value of is 0, and this is expressed by the formula 

pr = Pr ■ 

Hence, using (and C“), the value of q can be increased (and decreased). 
The main idea is to encode in RDC2 the computation 



^0 ^2 ■ ’ ' 

of M by a sequence of sections of the form 



\QEo\Co\QE,\Ci\QE^\C2\--- , 

where QEj^ is a state expression of Q, and Ck is a state expression of 

{C+,C+,C^,C2}. 

If Sk = {qk,nki,rik 2 ), then QE^ is a state expression representing the 
label Qk, and the values nk^^rik 2 of the two counters in the A:th configuration 
are represented by the values of J(7/' - /C“, for i = 1,2, over the interval 
covering the sections Co, C'l, ^^ 2 , • • • , C'fc. For this idea to work, it must be 
specified that all sections have the same length and that the QEf. and Ck 
sections are mutually exclusive. 
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To formalize this idea, we introduce the following abbreviations for state 
expressions: 

= C^VC^VC+VC^ 

= c+ AC+ AC 2 

= (3oV---VQy;„, 

where describes a possible change of the value of ci and C 2 , and 
actually maintains the value of the counters. 

Concerning counter values, we introduce the following abbreviations for 
formulas in RDC 2 '- 

[51 = (fS = fl)A^(fO = fl) 

Incri = [C+ A-(Cf VC 2 + VC 2")1 

Decn = [Cf VC 2 + VC2")1 

Incr2 = [C'2^A-(C2“ VC+ VCr)l 

Decr2 = [<^2~ A-(C2+ VC+ VCf)l 

Const = [C'^l • 

The formula Incri expresses the fact that the value of counter ci is in- 
creased by one by letting Ci be one throughout one section, while the other 
counter state variables are zero. The formulas Decri, Incr 2 , Decr 2 have simi- 
lar explanations. Const is used to keep the counter values constant from one 
configuration to the next (by increasing JC^ as much as fCf). 

The following abbreviations will also be used for formulas in RDC 2 - 

fs>0 = <>[51 

n = -fii 

true = [1 V m 

I V •i/’)) 

Op0 = (j)^tTue reads: “for some prefix interval: 0” 

Dpcf) = reads: “for all prefix intervals: 0”. 

Let R and 5 be two exclusive and complete state expressions. Let 
•••|i^|5|i?|5|i?|--- 

be a (finite or infinite) sequence of alternating R and 5 sections, where all 
sections except the first and the last (if the sequence is finite) have the same 
length. 
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Below, we construct a formula EqSize{R, S) in RDC 2 which describes the 
above sequence. 

EqSize{R,S) = 

□ (fi? -iS] V [D (a) 

/ / (true^(/5 = /R > 0))\ \ 

AD (fRi^rsi^rRi) ^ A (b) 

\ \iijs = jR>0)^tTue)J J 

( /(true'^(/R = /5 > 0))\ \ 

AD (rsi^rRi^r^i) a , (c) 

\ \{(/^ = /5' > 0)'^true)// 

where (a) requires that the state expressions R and 5 are complete and mutu- 
ally exclusive, and (b) and (c) require that the length of each middle section 
is greater than or equal to the length of its neighboring section. Therefore all 
the middle sections have the same length. 

The following property expresses the fact that the states corresponding 
to the labels of M are mutually exclusive: 

Mutex2 = A P2l , 

Pl^P2 

where Pi and P 2 range over Q. 

The computation of M is encoded by a sequence of alternating Q and C 
sections defined by the formula 

i 

Machine 2 = Mutex 2 A EqSize{Q^ ^ C^) A Init 2 A ^ DpG{mi ) , 

i=l 

where Init 2 encodes the initial configuration and G{mi) encodes a transi- 
tion from one configuration to the next caused by the instruction rrii. These 
formulas are defined below. 

The initial configuration is (go? 0,0): 

Init 2 = [Qol ^true. 

The formula Init 2 requires that the sequence will start at Qo? and continue 
with C^. Thus, Init 2 A EqSize{Q^ , C^) can guarantee that all C sections will 
have the same length, provided C does not appear at the end of the sequence 
when the sequence is finite. 

The formulas G{mi) (for i — 1,...,/), which ensure that the encoding 
sequence will end in if it is finite, are defined below. 
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For the instruction qj : we must formalize the condition that 

any initial segment 

\Qo\Co\---\Qj\C\ 

of the sequence is expanded to 

\Qo\Co\---\Qj\C\Qk\Ct\Q'^\ 

where only one expansion is possible, owing to the determinism of M. We 
have 

(( V 

V V (true ^[(7^1)/ \ jQj = 

flQkl 

V 

ilQkli^Incri) 

V 

Inert ^true) 

The situation is slightly more complicated for the instruction Qk^Qu, 
as we must take care of the question of whether the value of counter Ci is 
zero. We obtain 





Gilj ■ c~i 



n \ /(r^d^rc'^1) 

(tme-rC^l)/ V = 

Pt = Jc- 



^ Const) 

V 

, ^ Const '^true) 



(true-rC''^!)/ V lQj = JC^ 

-(Pt = pn 

V ! 

([<3«1 ^Decrt) 

V 

V(r<5«l '^Decri'^'lQ'^} ^true ) ) 
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The first conjunct of G{qj : -> Qk^Qu) describes the case where the value 

of counter Ci is zero, and the second conjunct describes the case of a positive 
value of counter c^. 

It can be proved that if Machine 2 A OlQfinl is satisfiable, then a ter- 
minating computation of M can be constructed, and vice versa. Thus, the 
halting problem for a two-counter machine can be reduced to the satisfiability 
of formulas in RDC 2 - 

Theorem 7.2 The satisfiability problem of formulas in RDC 2 is undecidable 
for both discrete time and continuous time. 



7.4 Undecidability of RDCs 

The halting problem for M can be reduced to the satisfiability of a formula 
in RDC 3 . We give a reduction which works for both the discrete- and the 
continuous-time domain. 

The encoding of M uses state variables Li, L 2 , C and Qo^ • • - ^Qfin^ where 
Li and L 2 delimit machine configurations, C is used to represent the counter 
values and the Qs correspond to the labels of the counter machine. All these 
state variables must be mutually exclusive: 

Mutexs = AP 2 I , 

Pl^P2 



where Pi and P2 range over {Qo, - • • 5 Qfim C', Li, L2}. 

A configuration of the machine is represented by a sequence of sections 
Q, L and (7, all of the same length: 

\Q\Cl^\Li\C^^ 

n\ U2 

Here Q is the label of the configuration of M, ni is the value of the first 
counter ci, and U 2 is the value of the second counter C 2 . The lengths of the 
Q, C and L sections must be the same. 

The initial configuration, (go, 0,0), is represented by |Qo|^i|^2h 

Inits = 3x.([Qo1 ^)) A (^ = x)) ^([1/21 A = x)) ^true . 

Each instruction mi of the counter machine is encoded as a formula H {mi) 
in RDCs, which relates a configuration of the machine to the next configu- 
ration. 

We shall use the abbreviation [5]^, which is a generalization of [5]|^ 
(for r > 0) used in Sect. 7.2: 



= (nvr5i)A(^=a.), 
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where x ranges over real numbers. 

An instruction qj : -> Qk transforms configurations as follows: 

\Qj\Cl^\Li\C\_^\L2\ => \Qk\ C\C\y\C \L^\C\-y\C\L2\. 

Til Tl2 Tli-^l ri2 

Taking into account the determinism of M, we can encode this transfor- 
mation by means of the formula 

H{qj : Qk) = 

Vx, y^z. 

iri.r ^ lev ^ iLiT ^ icr^ r^2r -{e = 4 x+y+ z)} 
^iie= 3 x+y+z)-iQkr-^!cr^!cv'-fL,r^icr^fL 2 r) 

where Vx is the dual of 3 x and can be expressed in RDCs, and the for- 
mula {£ = 3 x y z) is an abbreviation of the following formula of RDC3: 
(£ = x)^{£ = x)^{£ = x)'^{£ = y)'^{i = z), A similar formula of RDC3 ex- 
ists for {£ = 4 x -\-y + z). 

The formula H{qj : c J Qk) can be constructed similarly. 

An instruction qj : qk^Qu transforms configurations as follows. When 

the first counter value is zero, 

|g,|Li| Cr^|i^2| \Qk\Li\Ci^\L2\ , 

ri2 U2 

and when the first counter value is nonzero, 




\Qj\C\ • • ■ |C |Li| C| ■ ■ ■ |C IL2I \Qu\ C\---\C\Li\C\---\C IL2I . 



ni + 1 



Because of the determinism of M, these computation steps can be encoded 
as the formula 



H{qj : Cj -> qk,qu) = 



w. {{!Qjr^fLir^icv^iL2r^{i = 5 ^ + ^)) \ 

((£ = 3a; + ^ ^ Q^Y - [iiF ri2F) ) 

A 

Vx, y^z. 

filQjT ^fcr ^fcv '^icy = ^3^ + y + z))\ 

\^{{l = Ax + y + z)-lQur'^\CV^lL{\^^lCr\^-\L2r) ) ' 



The instruction qj \ Qk^Qu can be encoded similarly, and the encod- 
ing of M is given by 



i 

Machine^ = Mutex 3 A Init3 A □iJ(mi) . 

i=l 
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The formula Machines AO is satisfiable if and only if M terminates, 

and hence: 

Theorem 7.3 The satisfiability problem of formulas in RDCs is undecidable 
for both discrete time and continuous time. 




8. Model Checking: Linear Duration Invariants 



In Chap. 7, it was proved that the satisfiability (and validity) of simple 
subclasses of DC formulas is undecidable for both the continuous- and the 
discrete-time domains. In Chap. 6, decidable subclasses of DC formulas were 
identified. Some are decidable for both the continuous- and the discrete-time 
domains, while others are decidable for discrete time only. 

In the discrete-time domain, interpretations of DC are restricted to those 
Boolean-valued functions which change their values at integer points only. 
The research on decidability and undecidability often imposes restriction on 
syntax and/or on interpretation when exploring this topic. 

In this chapter, we consider continuous time only, and confine ourselves to 
interpretations which are generated from a real-time automaton with upper- 
and lower-bound timing constraints on its transitions. Furthermore, we syn- 
tactically confine ourselves to the subclass of DC formulas which have the 
form 

n 

^min ^ ^ ^ ^ ^ C , 

i=l 

where Cmin, c, and Ci for 1 < i < n are real numbers, and Pi for 1 < i < n are 
state variables. We call a formula of this form a linear duration invariant. 

For example, if we ignore the modality □ in GbReq^ the simplified require- 
ment of the gas burner is a linear duration invariant, since 

^ 20jLeak<^ 

can be reformulated as 

60 < £ ^ (20 /Leak - £) < 0 

and, by use oi t = (/Leak -|- JNonLeak), it can be further reformulated as 

60 < £ (19 /Leak — /NonLeak) < 0 , 

which is a linear duration invariant with state variables Leak and NonLeak. 
(Remember that NonLeak -iLeak.) 

This chapter gives a positive answer to the question of whether we can 
decide that any interpretation generated by a real-time automaton with Pi 
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for 1 < i < n as its states satisfies a linear duration invariant, and describes 
how this can be done. 

An algorithm is presented in this chapter which reduces the problem to 
a finite number of linear programming problems. Therefore, algorithms for 
solving linear programming problems can, in combination with this reduction, 
be used to check the truth of a linear duration invariant with respect to any 
interpretations generated by a real-time automaton. 

It is easy to apply this algorithm to check the truth of a conjunction of 
linear duration invariants and to generalize the algorithm to formulas of the 
form 

i 

(^min ^ ^ ^ ^max ^ ^ ^ ‘ ^ ^ ? 

i=l 

where Cmax is either a real number or oo, and each Si is constructed from the 
states of the real-time automaton using the Boolean connectives. 

In this chapter, we first use the gas burner example to explain the main 
ideas of the algorithm and to explain how it can check the correctness of a 
gas burner design with respect to the requirement, although a formal proof 
through DC deduction was given in Sect. 3.5. After the example, the reduction 
is formalized and proved correct. 

The work presented in this chapter is based on [172]. 



8.1 Example 

The main ideas and concepts of this chapter will be introduced here using 
the gas burner example. Consider the formulas 

□ ([Leak] £<1) 

□ (([Leak’ll ^ [NonLeakl ^ [Leak'll) ^ i> 30) , 

which model a design for the gas burner. 

This design can be represented by the real-time automaton in Fig. 8.1, 
which has two states^ Leak and NonLeak. 

The two edges of the automaton are called transitions^ and are labeled f 
(for failure) and r (for recovery). The state NonLeak is called the pre-state of 
f and Leak is called the post-state of f, and similarly for the transition labeled 
r. 

The transitions are also labeled with timing constraints. The timing con- 
straint on transition r is a bounded and closed interval [0, 1], denoting that 
the automaton can stay in the Leak state for at most one time unit be- 
fore a transition to the NonLeak state takes place. The timing constraint on 
transition f is a left closed, unbounded interval [30, oo), denoting that the 
automaton must stay in the NonLeak state for at least 30 time units before 
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f 




Fig. 8.1. Real-time automaton for the gas burner 



a transition to the Leak state can take place, and it can even stay in the 
NonLeak state forever. 

Suppose for the moment that NonLeak is the initial state of the automa- 
ton. A finite sequence of transitions represents an untimed behavior of the 
automaton, e.g. an untimed sequence of transitions 

frf, 

which starts with an f (failure) transition since NonLeak is the initial state, 
and then an r (recovery) transition followed by another failure transition. 

A timed behavior of the automaton is obtained from an untimed transi- 
tion sequence by marking each transition with the number of time units the 
automaton spends in the pre-state of the transition, e.g. 

(f,31)(r,0.5) (f,50) 

is a timed sequence of transitions describing a timed behavior of an au- 
tomaton which spends 31 time units in the NonLeak state before a failure 
transition to the Leak state occurs. It then stays for 0.5 time units in the 
Leak state before a recovery transition to the NonLeak state occurs. Finally, 
the automaton stays for 50 time units in the NonLeak state before a new 
failure transition to the Leak state occurs. 

A timed behavior of the automaton must respect the timing constrains 
on the transitions, e.g. the timed sequence 

(f,^i) {i,t2) (f, h) 
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must satisfy 

> 30, 0 < ^2 < 1 and ^3 > 30 . 

For this timed sequence, the total accumulated time the automaton spends 
in the NonLeak state is ti H- ^ 3 : 

JNonLeak = ^ 1 +^ 3 . 

Similarly, the (accumulated) time spent in the Leak state is t 2 and the length 
of the total time period covered by this timed sequence is h + t 2 + h, i.e. 

JLeak = t 2 



and 



i = JLeak + JNonLeak = ti 12 + h . 

In the following, we investigate how to check the truth of the linear du- 
ration invariant representing the simplified requirement of the gas burner 

60 < £ (19 JLeak — JNonLeak) < 0 , 

with respect to all timed sequences of transitions of the gas burner automaton. 

First, let us fix an untimed transition sequence. Note that infinitely many 
timed sequences may be obtained from a given untimed sequence. An untimed 
sequence of transitions of a real-time automaton satisfies a linear duration 
invariant iff all timed sequences of the automaton obtained from the untimed 
sequence satisfy the invariant. 

Consider the problem in Fig. 8.2. 



Is the linear duration invariant 

60 < ^ => 19 JLeak — JNonLeak < 0 

satisfied by the untimed sequence of transitions f r f of the gas burner 

automaton? 

Fig. 8.2. Satisfaction problem for an untimed sequence 



Fortunately, this problem can be formulated and solved by using linear 
programming (see Fig. 8.3). Therefore, the problem of whether an untimed 
sequence satisfies a linear duration invariant is decidable, as any algorithm 
solving the linear programming problem can be used to decide our problem. 

It is easy to calculate that the maximum of the objective function in 
Fig. 8.3 under the constraints is —41, since > 30 and t 2 < 1. So the 
untimed sequence of f rf satisfies the linear duration invariant. 
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Constraints: 

ti >30, 0 < t 2 < 1, ts > 30 and (ti + 12 + ts) > 60 . 

Objective function: 

19^2 — {tl + ts) . 

• If the maximal value of the objective function is positive, then the linear 
duration invariant is violated by f r f . 

• If the maximal value of the objective function is less than or equal to 0, 
then frf satisfies the linear duration invariant. 



Fig. 8.3. Linear programming problem 



Thus, if the gas burner automaton has only finitely many untimed transi- 
tion sequences, then the satisfaction problem of the linear duration invariant 
can be transformed into a finite number of linear programming problems, 
and solved effectively. Unfortunately, this automaton can produce infinitely 
many untimed transition sequences, and they can be expressed in terms of 
regular language as 

(fr)* U (fr)*f, 

where * stands for repetition and U for the union (see Sect. 6.2 for more 
details). Remember that NonLeak is the initial state. 

Therefore, the remaining part of the investigation concerns how to reduce 
the satisfaction problem for an infinite set of untimed transition sequences to 
satisfaction problems for a finite set of untimed ones. 

It is obvious that the satisfaction problem for the untimed sequences 
defined by ((fr)* U (fr)*f) can be reduced to two satisfaction problems by 
considering (fr)* and (fr)*f individually. 

Now let us consider the satisfaction problem in Fig. 8.4 for (fr)*, which 
produces an infinite number of untimed transition sequences. 



Is the linear duration invariant 
60 < £ => 19 /Leak — JNonLeak < 0 

satisfied by every untimed transition sequence of the gas burner automaton 

included in (f r)*? 



Fig. 8.4. Satisfaction problem for a regular expression 
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Interestingly, any timed sequence obtained from a pair of transitions f r 
decreases the value of (19jLeak — JNonLeak) by at least 11, since the au- 
tomaton can stay in the state NonLeak for at least 30 time units and in the 
state Leak for at most 1 time unit. 

Thus, if the timed sequences obtained from repetition of f r fc times, (f r)^, 
always cover a time interval which is not less than 60 time units and the 
values of (19 JLeak — jNonLeak) given by them are not greater than 0, then 
repetition m times to give (f r)"^ (for any m > k) satisfies the linear duration 
invariant. 

The above reasoning implies that if the timed sequences obtained from 
(fr)^ always cover a time period not less than 60 time units, then the satis- 
faction problem for (f r)* can be reduced to a similar problem for 

1=0 

which produces only finitely many untimed transition sequences. 

From the timing constraint that the automaton has to stay in NonLeak for 
at least 30 time units, it can be proved that the timed behavior obtained from 
(f r)^ always covers a time period not less than 60 time units. See Fig. 8.5. 



If the linear duration invariant 
60 < ^ => 19 /Leak — JNonLeak < 0 

is satisfied by every untimed transition sequence of the gas burner automaton 

included in 

i=0 

then it is also satisfied by every untimed transition sequence of the 
automaton included in 

(f r)* . 



Fig. 8.5. Reduction of a satisfaction problem 



Similarly, any timed sequence obtained from a pair of transitions r f also 
decreases the value of (19 /Leak — /NonLeak) by at least 11, and the timed 
sequences obtained from f r f always cover a time period not less than 60 time 
units. Thus, the satisfaction problem for (f r)* f can be reduced to a similar 
problem for the untimed sequences included in 




8.2 Real-Time Automata 131 



1 

U(fr)*f. 

Therefore we can reduce the satisfaction problem of the linear duration 
invariant for the gas burner automaton to a finite number of linear program- 
ming problems. 

In fact, it can be reduced to four linear programming problems, which 
correspond to the untimed behaviors 

f, fr, frf and frfr , 

if we exclude the plain behavior for the empty sequence. Their objective 
functions have maximum values 



-60,-40, -41 and -22, 



respectively, and the answers are all positive. So we can prove the correctness 
of the design of the gas burner with respect to the simplified requirement by 
model checking. 

The observations in the above example can be easily generalized to cover 
other cases. For example, if there exists a timed sequence obtained from fr 
which increases the value of (19 /Leak— JNonLeak) by a positive amount, then 
the linear duration invariant will be violated eventually, since the repetition 
of fr will eventually cover a time period not less than 60, and increase the 
value of (19 /Leak — JNonLeak) to go beyond any given bound. 

In the following we elaborate and formalize the above observations, 
and develop systematically an algorithm to check linear duration invariants 
against real-time automata. The notion of a real-time automaton is formal- 
ized in Sect. 8.2, and Sect. 8.3 formalizes the notion of a linear duration 
invariant. In Sect. 8.4 an algorithm is developed to reduce the satisfaction 
of a linear duration invariant for a (possibly infinite) regular language of un- 
timed sequences into a finite set of linear programming problems. Section 8.5 
briefiy discusses possible generalizations of the algorithm. 



8.2 Real-Time Automata 



The notion of real-time automata defined in this section corresponds to a 
subclass of the timed automata of [5], where each automaton has one clock 
which is reset after every transition. 
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A real-time automaton A is a tuple (V,T,low,up) which satisfies the 
following conditions: 

1. y is a finite set of states {Pi , . . . , where the states are exclusive and 
complete. 

2. T C V X V is a. finite set of transitions, li p = (Pi,Pj) is a transition, 
then Pi is called the pre-state of p and Pj is called the post-state of p. 
We denote the indices of pre- and post-states by ^ and ^ , i.e. ^—i and 
P = i* 

3. The functions 

low : T — M 

up : T —>■ (M U {oo}) 

denote the lower- and upper-bound timing constraints on the transitions, 
and we require, for any p G T, 

0 < low{p) < up{p) 
and low{p) = 0 up{p) > 0 ? 

where we accept x < oo for x G M, and oo > 0. 

An untimed sequence of A is a finite sequence of transitions of A, 

Seq = PiP 2 --*Pm, 
where m > 0, G T (1 < ^ and 

By ^ iJ^i we express the fact that pi and p^+i are two consecutive tran- 
sitions, which are linked to each other at state P^. The empty sequence 
(m = 0) is written as e. 

Let La denote the set of untimed sequences of A. La is a regular language 
over the alphabet T, as it is accepted by a finite automaton (where every state 
is both an initial and an accepting state). 

A timed sequence of A is a finite sequence 

TSeq — (pi, ti) (p 2 , ^ 2 ) (Pmj^m)? 

where 

Pip2 • • • Pm c La 

and 



low{pi) <ti< up{pi) <i <m) . 

From now on we assume that a real-time automaton 
A = {V, T, low, up), where V = {Pi, . . . , P^} , 



IS given. 
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8.3 Linear Duration Invariants 

A linear duration invariant for the real-time automaton A is a DC formula 
of the form 

LDI = Cmin <(■ E"=l Ci- fPi<C, 

where 

• Cmim Ci (1 <i <n) and c are real numbers, and 

• (1 < ^ are states of A. 

The value of fPi (1 < i < n) for a timed sequence of A 



TSeq = {pi,ti) (p 2 ,t 2 ) • • • {pm,tm) 



IS 



TSeq(JPi) = Ejea, tj , 

where (^i = {j\l<j<m and i}. 

The value of i for the timed sequence TSeq is 

TSeqii) = ET=i tj • 

The linear function in LDI is denoted by 
LF = E?=1 Ci-fPi. 

The value of the linear function LF for a timed sequence TSeq is 

TSeq(LF) = E?=i Ci ■ TSeq{fP,) . 

Lemma 8.1 For any timed sequences TSeq^^ ® state P, 

{TSeqrTSeq^){!P) = (TSeq,- TSeq,){JP) , 

where (-^_) stands for the concatenation operator for timed sequences. 

Proof. This follows from the definition of TSeq{JP) and the fact that addition 
is commutative. □ 

Remark. Careful readers may notice that a reordered timed sequence may 
violate the transition consecutivity of the sequence, and cannot be regarded 
as a timed behavior of the automaton. However, the value of fP (P E V) 
can be computed for any timed (or untimed) sequence, whether or not it 
possesses the property of consecutivity, and the satisfaction problem of a 
linear duration invariant remains meaningful. In the following reduction, we 
always take this to be understood. □ 
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The linear duration invariant 

^min ^ ^ ^ 

is satisfied by the timed sequence TSeq of A if 

Cmin < TSeq{£) implies TSeq{LF) < c. 

Otherwise, we say that the linear duration invariant is violated by TSeq. 

The linear duration invariant 

(Cmm <t^ Yh= 1 Ci ' JPi < c) 

is satisfied by the untimed sequence of A 

Seq = P 1 P 2 - 'Pm, 

written as 

Seq 1= LDI , 

if it is satisfied by every timed sequence obtained from Seq. Otherwise, we 
say that LDI is violated by Seq. 

Theorem 8.1 The problem 

Seq ^ LDI 

is solvable using linear programming. 

Proof. Let Seq — P 1 P 2 ’ - Pm- 
Consider the timed sequence 

TSeq — (pi , t\) {p2, ^ 2 ) ■ ■ * {pm, tm) , 

and consider each ti as a real variable. 

The constraints of the linear programming problem are obtained from the 
timing constraints of A, 

low{pi) <U< up{pi ) , 

for 1 < i < m, and from the left-hand side of the implication in the definition 
of LDI, 

Cmin<TSeq{£) (= ET=iti)' 
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The objective function of the linear programming problem is 

TSeq{LF) {= 

where = { j | 1 < j < m and — i}. 

If the maximal value of the objective function exceeds c, the linear dura- 
tion invariant is violated by Seq. Otherwise, it is satisfied by Seq. □ 

A linear duration invariant LDI is satisfied by a set L C T* of untimed 
sequences, written L |= LDI ^ if Seq |= LDI for every Seq G L. Furthermore, 
a linear duration invariant LDI is satisfied by a real-time automaton A if it 
is satisfied by all untimed (and hence all timed) sequences of A, i.e. iff 

La h LDI. 



8.4 Reduction 

In this section we formalize the algorithm sketched in Sect. 8 . 1 , in order to 
reduce 

La N LDI 

to a finite set of linear programming problems. 

In the following, we identify a regular expression with the language it 
denotes. 

A regular expression C{X) constructed from the transitions of T, the 
empty sequence e and the letter T, using union, concatenation and repetition, 
is called a regular context For a given regular language L C T*, C{L) denotes 
the regular language obtained from C(A) by replacing every occurrence of X 
in C{X) with L. 

Two regular languages L\ and L2 of T are called congruently equivalent 
or simply equivalent with respect to LDI ^ written 



L\ =LDI L2 , 

if for any regular context C(T), 

C(Li) LDI iff C(L2) h LDI. 

Given LDI, for simplicity we shall often drop the index LDI, and simply use 
= instead of =ldi- 

In the rest of this chapter, we conduct the proof of the equivalence between 
Li and L2 by providing, for any timed sequence TSeq^ in Li , a timed sequence 
TSeq2 in L2 such that 



TSeq^ii) = TSeq^ii) and TSeq^iLF) > TSeq^{LF) 
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and vice versa. In most case, we even prove TSeq2{LF) = TSeqi(LF), by 
showing 

TSeq2(JP) = TSeqi(fP ) , for any state P eV. 



A proof of equivalence can also be conducted at the level of untimed 
sequences, if we can find a correspondence between untimed sequences of Li 
and L2 which can be carried over to timed sequences. 

The problem 

La H LDI 

is reduced to a finite set of linear programming problems in two steps. 

In the first step, we derive from La an equivalent normal form, and in the 
second step, we reduce the satisfaction problem of LDI for a normal form to 
a finite set of linear programming problems. 

In order to define the normal form, we need the following concepts: 

1. An untimed sequence pip2' " pm of ^ is called a finite term. Note that 
the empty sequence e is a finite term. 

2. An infinite term is an untimed sequence of A followed by a repetition of 
a single transition with zero as its lower-bound timing constraint, i.e. an 
infinite term has the form 

P1P2 • • ' PmP* 5 
where low{p) =0. 

3. A normal form is a regular expression over the alphabet T of the form 

k 

[ju, 

i=l 

where Li is either a finite term or an infinite term. As a special case 
0, a regular expression for the empty language, is in normal form, as 

0 = Uli Li. 

Note that it is decidable whether a finite term satisfies LDI (Theorem 8.1). 
Therefore, the main part of the second step is to solve the problem of whether 
an infinite term satisfies LDI. 



8.4.1 Congruent Equivalence 

Reordering the elements of a timed sequence does not change the value of JP, 
by Lemma 8.1, where P stands for any state of A. This preservation helps us 
establish the following theorem. 
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Theorem 8.2 For languages Li,L 2 C T*: 

1. {L 1 L 2 } = (L 2 Li). 

2. (iiULa)* = (im). 

3. {MLDY = ({€}U(ii(LJ)(L^))). 

Proof. A proof can be given by showing that each untimed sequence of an 
original language has a corresponding sequence in the equivalent language 
which contains the same letters but may have a different order among the 
letters, and vice versa. 

For example, for the second equivalence, it is obvious that 
(L 1 UL 2 )* D 

and that by reordering the letters of an arbitrary string of (Li U L 2 )* into 
SeqiSeq 2 ^ where Seqi is a string containing only letters in L\ and Seq 2 is a 
string containing only letters in L 2 , we can obtain the corresponding string 
in {L\Ll). □ 

By Theorem 8.2, the distribution law for the concatenation over the union 
and the idempotent law for the repetition in a regular language, we can 
transform any regular language into an equivalent finite union of regular 
expressions of the form 

Pi ■ ■ ■ PmSeql ■ ■ ■ Seql . 

For example, 

{PlPl ^ (P3P4)*)V5 

= (Pi/>2)*(P3/>4)*>5 TH8.2(2) 

= ({e} U PipIpI){p3PaY pb TH8.2(3), Idempotent 
= {psp4yp5 ^ PiPiP2iPsP4yP5 Distribution 
= PbiPsP^y U PiP5piP2{psP4y TH8.2(1). 

(In the above equations, “TM” means “Theorem” .) 

We now prove the following four theorems in order to reduce a regular 
expression of the form 

pi ’ - PmSeql ’ - Seql 

to normal form. The first two theorems are concerned with the equivalence 
between untimed sequences having 0 as the lower bound of the timing con- 
straints. 

Theorem 8.3 If low{pi) = 0 (i = 1, 2, . . . , m), then 



{PlP2---PmY = P*lP*2---P*m- 
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Proof. It is obvious that the right-hand side includes the left-hand side: 

{piP2---Pm)* Q P*lP*2--- Pm- 

We can also prove that for any timed sequence TSeq^ on the right-hand side 
there exists a timed sequence TSeq 2 on the left-hand side such that, for any 
state P, 

TSeq^ijP) = TSeg.ifP). 

For example, let m = 2 and let 
{Pl,h) {Pl,t2) [p2,t3) 

be a timed sequence on the right-hand side. Then 
iPl,tl)ip2,t3)ipi,h){p2,0) 

is the corresponding timed sequence on the left-hand side. We omit further 
details of the proof. □ 

Theorem 8.4 If low {pi) = 0 and ^ , then 

iP*lP2) = Pi- 

Proof. It is trivial to show that 

{pIp 2) ^ Pi- 

We shall use an example to demonstrate a proof of the other half of the 
equivalence. Let 

TSeq^ = (pi,ti),{p 2 ,t 2 ) 

be a timed sequence of plP 2 - According to the definition of a real-time au- 
tomaton given in Sect. 8.2, up{pi) > 0. We define 

k = [t 2 /up{pi)\ and 
S =t 2 -k' up{pi ) , 

i.e. we have 

t 2 — k- up{pi) + 6 . 

Then the following timed sequence for p* , 

TSeq 2 = {pi,ti){pi,up{pi))'‘ (pi,S) , 
corresponds to TSeq^, since we can prove 
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TSeq^ii) = TSeq^ii) = h + 12 

and 

TSeq2(LF) = ■ {h + t2) 

>cJ-h+c^^-t 2 (asc^^>c^J 

= TSeq.iLF), 

where we have used the proof technique discussed in the introduction to 
Sect. 8 . 4 . □ 

By use of Theorems 8.3 and 8 . 4 , we can directly derive the following 
corollary. 

Corollary 8.1 If low{pi) =0 (i = 1, 2, . . . , m) and 
= max{c^ I i = 1, 2 , . . . ,m} , 

then 



{PlP2'"PmT — Pj ’ 

The following two theorems are concerned with the equivalence of untimed 
sequences with a positive lower bound on the timing constraints. 

Given an untimed sequence 



Seq — Pip2 ' ’ ' pm 5 

let £min be the shortest time period which Seq covers, i.e. 

m 

^min — E low{pi) . 

i=l 

We can also obtain from Seq a timed sequence 



TSeq^ax ~ (pi 5 ^l) (P2 5 ^2) • • • (pm^tm) 5 

where 



U = 



up{pi) if > 0 
low{pi) otherwise 



for 1 < i < m. 



This sequence has the maximal value of LF among all timed sequences of 
Seq, 



TSeq^^^(LF) = ESV**’ 

i=l 



where we let TSeq^^^(LF) = 00 if some ti is 00. 
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Theorem 8.5 If £min > 0 and TSeq^^^(LF) > 0, then for any regular 
context C{X) containing an occurrence of X , C{Seq*) violates LDI. 

Proof. Since X occurs in C{X), there is an untimed sequence of the form 
PjiPj2 ■ ■ • Pjr. Seq^pi^pi^ ■■■PK 

in C(Seq^), for any i > 0, with a corresponding timed sequence 
TSeqcii) = TSeqj TSeq^'^^^TSeqi , 

where TSeq^ is a timed sequence for pj^ pj.^ • • • pj^ and TSeqi is a timed se- 
quence for pi^pi^ - ' Pin ‘ 

The value of the linear function for TSeqQ{i) is 

TSeqc(i){LF) = TSeqj(LF) + i • TSeq^,,(LF) + TSeqi{LF) . 

Since TSeq^^^(LF) > 0 the value of TSeqQ{i){LF) is a strictly monoton- 
ically increasing function of i. Let 

m = 1 + L(|c- TSeqj(LF) - TSeq^iLF)\)/ TSeq^,,{LF)\ . 

Then 

TSeqc{i){LF) > c 
for all i >m. 

Since imin > Oj by using k repetitions of Seq, where 

^ — \(^min/ £min~\ ? 

we obtain TSeq(j{k){£) > Cmin, thereby making the left-hand side of LDI 
true. Therefore, for io = max{k^m}, we have the result that TSeqQ{io) vio- 
lates LDI, and so does C{Seq*). □ 

Theorem 8.6 If £ min > 0 and TSeq^^^(LF) < 0, then 
Seq* = Seq^, 
where k = \Cminl(-min\- 

Proof. An argument concerning this theorem was given in Sect. 8.1 when we 
derived the conclusion shown in Fig. 8.5; we shall not repeat this argument 
here. □ 
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8.4.2 Closure Properties of Normal Forms 

We now investigate closure properties of normal forms with respect to a 
given linear duration invariant LDI . The proofs of the closure properties are 
constructive, and they constitute the main parts of the algorithm for the 
derivation of a normal form for a regular expression over the alphabet T. 

Theorem 8.7 The regular expressions 0, e and p are in normal form. 

Proof. This follows directly from the definition of a normal form. □ 

Theorem 8.8 Normal forms are closed with respect to union. 

Proof. For any normal forms, Li and L2, the regular expression Li U L2 is, 
by definition, in normal form. □ 

Theorem 8.9 //Li,L 2 C T* are in normal form, then there is a normal 
form equivalent to L1L2. 

Proof. Since Li and L2 are in normal form, we have 

rrii 

Li = Lij (z = 1, 2) , 
j=i 

where each Lij is either a finite term or an infinite term. 

By distributing the concatenation over the union, we can transform L1L2 
to an equivalent regular expression 

mi 1712 

\J[jL,jL2k. 

j=l k=l 

We can show that for each L\jL2k there is an equivalent normal form, by 
considering the following three cases: 

1. Lij and L2k are finite terms. By definition, so is LijL2k> 

2. One of L\j and L2k is a finite term and the other is infinite. By Theo- 
rem 8.2(1), the necessary permutations can be applied in order to obtain 
an equivalent infinite term for L\jL2k> 

3. Both Lij and L2k are infinite terms, i.e. Lij = Seqi pi, with low{pi) = 0, 
and L2k = Seq2 P21 with low{p2) = 0. By Theorem 8.2(1), we obtain 



LijL2k — S^Qi Pi P2 • 



By applying Theorem 8.4 to plP2, we can (by comparing with c^) 
delete one of pi and P2 and obtain an infinite term which is equivalent 
to LijL2k- 



□ 
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Theorem 8.10 If L CT* is in normal form, then either there is a normal 
form for L* or the linear duration invariant LDI is violated by L* . 

Proof. Suppose |J™ j Lj is the normal form for L. By Theorem 8.2(2), 

L* = 

where Li (for 1 < * < m) is either a finite or an infinite term. 

We show that every it has an equivalent normal form, unless it (and also 
L*) violates LDI. When we have done this, the proof is completed because 
(by Theorem 8.9) normal forms are closed with respect to concatenation. 

We consider the following cases: 

1. Li = Seq = pip 2 ■■■ Pm is a finite term. This part is split further into 
three cases: 

Case a: £min = 0 (for Seq). By Corollary 8.1, Seq* is equivalent to a pj 
(for some j, where 1 < J < m) which is an infinite term. 

Case b: Imin > 0 and TSeq^^g^^i^LF) > 0. By Theorem 8.5, for any regu- 
lar context C{X),C{L*i) violates LDI. So does L*. 

Case c: Imin > 0 and TSeqjggg.{LF) < 0. By Theorem 8.6, we can trans- 
form i* into an equivalent concatenation of finite terms. 

2. Li = pip 2 ■ ■ ■ pmp* is an infinite term. Let Seq = pip 2 ■■■pm, which is a 
finite term. By Theorem 8.2(3), 

L* = {{e}HSeqSeq* p*). 

There is an equivalent normal form for Seq*, by Case 1, unless LDI is vio- 
lated. Since e, Seq and p* are normal forms, and normal forms are closed 
with respect to union and concatenation (Theorems 8.7, 8.8 and 8.9), 
there is a normal form equivalent to L*, unless LDI is violated. 

□ 

A simple consequence of the closure properties is expressed in the follow- 
ing theorem. 

Theorem 8.11 Any regular language over the alphabet T has an equivalent 
normal form, unless the linear duration invariant LDI is violated. 



8.4.3 An Algorithm Deriving Normal Forms 

Since the proofs of the closure properties given in the previous section are 
all constructive, it is easy to construct a recursive algorithm which can take 
a regular expression over an alphabet T as input and produce an equivalent 
normal form as output, unless it detects that the linear duration invariant is 
violated. 
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8.4.4 Infinite Term 

Theorem 8.1 demonstrates how to transform the satisfaction of LDI for a 
finite term into a linear programming problem. Here we show how to trans- 
form the satisfaction problem for an infinite term into a linear programming 
problem. 

Let L be an infinite term 
L = plP2 • - PmP* , 

where low{p) = 0. We introduce an extra state Pn+i and a new transition p', 
where 



p' = n + 1, low(p') = 0 and up(p') = oo , 

and introduce a new linear invariant LDI' derived from LDI by changing LF 
such that 

LF' = LF + c^JPn+i. 

In other words, we simulate p* by p' , and we have the result that 
PlP2---PmP* N LDI iff piP2---PmP' t= LDI'. 

By transforming the satisfaction problem of LDV for the finite term 
Pip2 • • -PmP' 

into a linear programming problem, we can solve the satisfaction problem of 
LDI for the infinite term pip 2 • • • pmP* • 



8.5 Generalization 

An easy generalization is to introduce an upper bound Cmax for i in the linear 
duration invariant: 

n 

LDI — Cjyiin ^ ^ ^ ^max ^ ^ ^ G fPi ^ C . 

The decision procedure for this satisfaction problem becomes simpler than 
for the original problem and is left to readers as an exercise. 

It is also an easy generalization to introduce state expressions into the 
linear duration invariant. Since the states {Pi, F 2 , • • • , Pn} are exclusive and 
complete, any state expression of {Pi, P 2 , . . . , P^} is equivalent to a disjunc- 
tion of {Pi,P 2 , . . . ,Pn), e.g. 
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-iPi <=> P 2 V • • • V Pn and Pi A P3 0 , 

and therefore the duration of a disjunction of states (Pj) is equal to the sum 
of the durations of the individual states. 

By Theorem 8.11, we can transform any regular language over T to a nor- 
mal form unless the linear duration invariant is violated. Hence, the definition 
of a real-time automaton (in Sect. 8.2) can be generalized in any possible way, 
as long as the set of untimed sequences of the automaton is regular. 

It is also not a difficult generalization to allow several states of the au- 
tomaton to be labeled with the same DC state variable, as the algorithm 
presented here requires only that the DC state variables are complete and 
exclusive. 

With these generalizations, it is possible to check whether a linear dura- 
tion invariant holds for all subintervals with respect to the timed sequences 
generated by a real-time automaton A, as one can add extra states and tran- 
sitions (with new upper and lower bounds) to A to simulate this. With this 
technique it can, for example, be checked whether 

□ (60 20/Leak<^) 

holds for the the gas burner automaton. Details are left for the reader. 

In the literature, there are other interesting algorithms to check a lin- 
ear duration invariant against an automaton. For example, [70] reduces the 
satisfaction problem of linear duration invariants with respect to timed au- 
tomata ([6]) to the mixed integer programming and [12] reduces it to 

the linear programming problem. References [80, 81] solve this problem for a 
subset of hybrid automata ([4, 99]), restrictions on linear duration invariants 
to reduce the complexity of model checking are considered in [84, 159], and 
[158] establishes a reduction for a network of real-time automata. 
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9.1 Introduction 

A real-time system may comprise both states and events. A state of a system 
characterizes a stable aspect of the system behavior. By stable, we mean 
that once the system enters a state, it will stay in that state throughout a 
period. An event of a system characterizes an interaction of the system 

with its environment. This can drive both the system and its environment to 
change their behavior dramatically. 

For example, in the case of the gas burner, a flame failure caused by 
the environment can be taken as an event sent to the gas burner from the 
environment, which drives the gas burner to change its behavior from the 
normal (NonLeak) state to an abnormal (Leak) state. 

Two approaches to extending DC with instant actions have been inves- 
tigated. In [169], both the state and the event are taken to be “first-class 
citizens” , and the Boolean state model is augmented by events in the form of 
Boolean-valued (S-functions (i.e. Boolean-valued functions with value 1 only 
at isolated points) . In order to express real-time properties of Boolean- valued 
5-functions, mean values of Boolean- valued functions were introduced in [169] 
to replace integrals. Another approach was suggested in [164], where events 
are introduced as state derivatives called state transitions, so that the Boolean 
state model can be maintained. In this book, we adopt the second approach, 
since this approach fits better with other parts of the book. 

Let 5i and S 2 be two different Boolean states of a real-time system. 
They characterize two distinct aspects of the system behavior. Si{t) = 1, for 
i — 1,2, means that the system stays in Si at t. We say that the system 
satisfies Si at t when Sfit) = 1. 

A state transition of the system from Si to S 2 occurs at time t iff imme- 
diately before t the system is in S\ (i.e. there exists 5 > 0 such that Si has 
value 1 in a period (t — S,t)), and immediately after t the system is in S 2 (i.e. 
there exists 5 > 0 such that S 2 has value 1 in a period {t,t-\-S)). Thus, a state 
transition from 5i to S 2 at t represents a change of the system behavior from 
satisfying to satisfying ^2 at L Hence, events can be identified by state 
transitions as the driving force of significant changes in the system behavior. 
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For example, an event of flame failure in the gas burner can be identified 
by a state transition from NonLeak to Leak, if flame failure is the only cause 
of gas leakage in the gas burner. 

Let us consider the gas burner example again. A refinement of the two 
design decisions of the gas burner is given in [127]. A revised version of this 
refinement is shown as an automaton in Fig. 9.1. 




Fig. 9.1. Automaton for refined design of the gas burner 



This automaton has five states: Idle, Purge, Ignite, Burn and Failure, 
which make up a refined Boolean state model of the gas burner. These five 
states characterize five exclusive aspects of the behavior of the gas burner, 
and form a complete characterization of the behavior of the gas burner. That 
is, at any time, the gas burner is in one and only one of these states. 

This automaton responds to four events from its environment: Heat On, 
HeatOff, DeFail and OutSO. The behavior of the automaton can be explained 
informally as follows, and a formal specification of the automaton can be 
found in Sect. 9.4. 

Idle: When the gas burner is in the Idle state, the gas is turned off, and the 
gas burner awaits a heat request. The burner will transfer to the Purge 
state on receiving a heat request from its environment. In the automaton, 
a heat request is denoted by the event HeatOn. 

Purge: In this state, the gas is still turned off, and the gas burner pauses 
for 30 seconds by first setting a timer, and then transferring to the Ignite 
state on receiving a time-out signal after 30 seconds. This time-out signal 
is denoted by the event Out30.^ 

^ Note that this automaton takes into account only events received by the automa- 
ton, such as HeatOn and OutSO, and ignores events sent by the automaton, such 
as setting the timer. 
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Ignite: In the Ignite state, gas is supplied, and ignition is performed with 
a pilot flame. If the ignition succeeds, the gas burner transfers to the 
Burn state. Otherwise, it transfers to the Failure state upon receiving an 
ignition failure signal, which is presumably detected as soon as the gas 
supply reaches a leak threshold. The detected failure is denoted by the 
event DeFail. 

Burn: When the gas burner is in the Burn state, the flame is on. The gas 
burner will remain in the Burn state until the heat request is cancelled 
(denoted by the event HeatOff) or a flame failure is detected (denoted 
by the event DeFail). When the heat request is cancelled, the gas is then 
turned off and the Idle state is entered. When a flame failure occurs, the 
gas burner immediately transfers to the Failure state. 

Failure: In the Failure state, ignition failure and flame failure are treated 
urgently. The gas valve is closed within one second, and then the gas 
burner transfers to the Idle state. (In the automaton, by assigning to the 
transition from Failure to Idle a real-time constraint written as < 1, we 
mean that the transition from Failure to Idle must take place within one 
second after the gas burner enters the Failure state.) In the Failure state, 
i.e. during the treatment of failures, it is assumed that gas is leaking. 

From the above description, one can see that the automaton will not 
respond to the event HeatOn unless it is in Idle, and it will transfer from 
Idle to Purge when it responds to the event HeatOn. Hence, as far as the 
behavior of the automaton is concerned, HeatOn can be identified as the 
state transition of the automaton from Idle to Purge. Similarly, Out30 can 
be identified as the state transition from Purge to Ignite, and HeatOff as the 
state transition from Burn to Idle. However, DeFail denotes two causes of gas 
leakage, namely ignition failure and flame failure. When DeFail happens, the 
gas burner may be in either the Ignite or the Burn state, and will be driven 
to the Failure state by DeFail. The event DeFail can therefore be identified 
as a formula (i.e. a disjunction) of these two state transitions. 

State transitions are instant actions. Hence, they can be expressed as for- 
mulas that are true in point intervals. A formula expressing a state transition 
from Si to S 2 must have a syntactic structure to indicate the source state Si 
and the destination state S 2 of the state transition. 

However, in DC there is no such formula. Two kinds of atomic formu- 
las constructed from states to express state transitions are introduced in 
Sect. 9.2. These extra formulas are called transition formulas. 

The semantics of the transition formulas in a point interval can be de- 
termined by the properties of states in a neighborhood of the point, since a 
state transition from Si to S 2 occurs at t iff the value of 5i is 1 throughout 
some left neighborhood of t and the value of S 2 is 1 throughout some right 
neighborhood of t. Thus, state transitions (and events treated as formulas 
of state transitions) can be formalized in DC without augmentation of the 
Boolean state model. 




148 9. State Transitions and Events 



The syntax and semantics of transition formulas are given in Sect. 9.2, and 
extra axioms for transition formulas are given in Sect. 9.3. The extra axioms, 
together with the axioms and rules of DC, make up a calculus to describe 
and reason about real-time systems in terms of both states and events. This 
calculus is called state transition calculus. State transition calculus retains the 
result of relative completeness of DC. A formal description and verification of 
the refinement of the gas burner shown in Fig. 9.1 are presented in Sect. 9.4. 



9.2 Transition Formulas 

This section introduces transition formulas, and also demonstrates by ex- 
amples how to use transition formulas to specify the behavior of real-time 
systems in terms of both states and events. Among the examples is a NOR 
circuit. 



9.2.1 Formulas \^S and S 

To the syntax of DC, we add the following two special symbols, *^and 
and the following rule for building formulas: 

• If 5 is a state expression, then S and S are formulas, also called 
transition formulas. 

The semantics of S and /^s are defined in terms of |’5]| as follows. 
Given an interpretation X, a value assignment V and an interval [6, e ] , 

X, V, [6, e] I^N.5 iff X, V, [6 — (5, &] [S]! , for some 5 > 0 , 

and 

X, V, [6, e] /^S iff X, V, [e,e-h5] |= [5] , for some 5 > 0 , 

where the interpretation X and the value assignment V are defined as in 
Chap. 3. Thus, *^5 or j^S holds for an interval iff S has a constant presence 
in a left or right neighborhood of the beginning or ending point, respectively, 
of the interval. See Fig. 9.2. 

Two abbreviations are introduced here: 

\5 = \5A(^ = 0) 

= y?»5A(^ = 0). 

The formula \ S and S define a constant presence of S' in a left and a 
right neighborhood, respectively, of a point. Symbols in bold type, and 
are used for transition formulas over arbitrary intervals, while symbols in 
ordinary type, \and /^, are used for transition formulas over point intervals. 
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Fig. 9.2. Meaning of*V5 and on the interval [6, e] 



We can express instant state transitions in terms of \ 5 and 5 with 
propositional connectives. Let S\ and S 2 be states of a system. The formula 

\5iA/52 

means that S\ is constantly present in a left neighborhood of a point and 52 
is constantly present in a right neighborhood of this point. Hence, when S\ 
and S 2 are distinct states, (\5iA S 2 ) describes a state transition of the 

system from 5i to S 2 at a point. For example, 

\Idle A Purge 

describes a state transition of the automaton from Idle to Purge. 

Events identified with state transitions can be expressed in terms of tran- 
sition formulas. For examples, the event Heat On can be identified with a 
state transition from Idle to Purge, and hence HeatOn can be expressed as 

\Idle A /'Purge. 

The event DeFail is expressed using a state expression with more struc- 
ture, 

\ (Ignite V Burn) A /'Failure , 

since it can be identified with two state transitions: from either Ignite or Burn 
to Failure. 
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9.2.2 Formulas JlS and TS 

For a state S' of a system, the formula 
\SA/'-S 

is true at a point iff the value of S changes from 1 to 0 at a point. That is, 
the system leaves S at that point. Similarly, \-iS A /^S is true at a point iff 
the value of S changes from 0 to 1 at that point. That is, the system enters 
state S at the point. 

For these formulas, we introduce the abbreviations 

IS = \SA/^-S 
tS = \-5A/^S. 

The meanings of IS and tS are illustrated in Fig. 9.3. 



S = 1 

S = 0 

iS 



S = 1 

s = o 



ts 



Fig. 9.3. Meanings of |S and tS 



One can also describe state transitions in terms of ^ 5 and t S. Let Si 
and S 2 be two states of a system. Consider the formula 



;5iAt*S2. 

This formula holds at a point iff the system leaves and, meanwhile, enters 
S 2 at that point. 

When Si =52, the formula >1.5i A t52 cannot hold, since it is a contradic- 
tion that a system leaves a state and meanwhile enters the same state. How- 
ever, when Si => -i52 (i.e. Si and S 2 are exclusive), the formula 4<5i A |52 is 
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meaningful, and forms another description of a state transition of the system 
from 5i to 82 - In fact, we prove in the next section that 

iSi A tS2 
is equivalent to 
\5iA/^52 

under the condition that Si => -^82 is true. 

For the case of the automaton in Fig. 9.1, the formula 

I Idle A t Purge 

describes a state transition of the automaton from Idle to Purge. Moreover, 
the formula 

4. Idle t Purge 

defines Purge as the only transition destination of Idle, and can form part of 
a formal specification of the automaton. Similarly, the formulas 

4. Purge => t Ignite 

and 



lignite t(Burn V Failure) , 

can also become a part of a formal specification for the automaton, to define 
the condition that from Purge, the automaton can transfer only to Ignite, 
and from Ignite it can transfer either to Burn or to Failure. 

In circuit design, a Boolean- valued function 8 over time can be used 
to model the voltage of a wire, where 8{t) = 1 means that the wire 8 is 
connected to a power source (i.e. it is at a high voltage) at time t, while 
8{t) =0 means a connection of the wire 8 to ground (i.e. low voltage) at t. 

The formula | 8 describes a falling edge of the wire voltage which rep- 
resents an instant fall of the wire voltage from high to low. Similarly, f 8 
describes a rising edge of the wire voltage, which represents an instant rise 
of the wire voltage from low to high. 

Circuit designers also use formulas to express the stability of a voltage. 
For example, 18 is used to mean that the wire represented by 8 remains 
connected to ground at some time, and T5 means a continuous connection 
of the wire to power at some time. 

These two formulas can also be defined by the transition formulas 

18 = \^8 A ^^8 

J8 = \8 A ^8. 

From the definitions, 18 and T8 hold only for a point interval; 18 or T8 
holds at a point iff 8 has value 0 or 1, respectively, in both a left and a right 
neighborhood of the point, as illustrated in Fig. 9.4. 

With 18, t*S', 18 and T5, we can specify and reason about the behavior 
of circuits. 
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Fig. 9.4. Meanings of 15 and T5 



9.2.3 Example: NOR Circuit 

Consider a NOR circuit with one output wire and two input wires as shown 
in Fig. 9.5. 



Ini 



In2 

Fig. 9.5. NOR circuit 



Out 



Let Out, Ini and In2 be three Boolean-valued functions (i.e. Boolean 
states), which denote the voltages of the output and input wires of the circuit. 
Thus, tOut and J.Out represent output signals of the circuit. If we neglect 
the propagation delay of signals in the circuit, then the functionality of the 
circuit is specified by 

tOut ^ V In2) 



and 



I Out ^ V In2) . 

Input signals which cause rising and falling of the output will be imme- 
diately propagated to the output wire. In the conventional theory of combi- 
national circuits, it is stated that a rising signal appears at the output of a 
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NOR circuit iff at that time both the inputs receive a falling signal, or one 
of the inputs receives a falling signal while the other is at low voltage. With 
the transition formulas, this statement can be formally expressed as 

t->(IniVln2) 4 ^ ((ilniA |In2) V (|Ini A _LIn2) V (-LlniA |In2)) . 
Symmetrically, we can express a corresponding statement for a falling signal: 
^-i(IniVln2) 4 ^ ((tlniA tln2) V (flni A _LIn2) V (i-IniA tln2)) . 

After we have established a calculus for the transition formulas in the 
next section, these two statements can be proved. 

One can also apply DC to specify and reason about the real-time behavior 
of combinational and sequential circuits [ 52 ]. Although we do not elaborate 
on real-time issues of circuit design in this book, we indicate here how a trans- 
mission delay and an inertial delay in a rising signal Out can be expressed 
in DC extended with transition formulas. For example, 

(t-(Ini Vln 2 )^(^ = d)) 44 ((^ = d)^tOut) 

specifies a transmission delay of d > 0 in the output rising signal of the NOR 
circuit, such that the time difference between an input rising signal and its 
corresponding output rising signal is d, and the formula 

(t-(Ini Vln2)'^(Hlni Vln2)l A(^ = d))) 44 ((^ = d)^tOut) 

specifies an inertial delay of d > 0 of the output rising signal of the NOR 
circuit. Namely, an input rising signal will not be propagated to the output 
wire unless the inputs are stable for d time units. Similarly, we can specify 
the transmission and inertial delays of the falling signals of the circuit by the 
formulas 

4-i(Im Vln 2 )'^(^ = d)) 44 {{£ = d)^iOut) 



and 



( 4 .^(Ini V In2) ^([Ini V In2l A = d))) 44 ((£ = d) ^ 4 . 0 ut) , 
respecitvely. 



9.3 Calculus for State Transitions 

The state transition calculus described here is a conservative extension of 
DC. The additional axioms of state transition calculus will be presented in 
two groups. The first group provides propositional axioms for the transition 
formulas, and the second group provides axioms with respect to the chop 
modality. These two groups, together with DC, constitute a relatively com- 
plete state transition calculus. 
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9.3.1 Proof System: Psirt I 

The first group of axioms provides a propositional calculus of the transition 
formulas: 

STl N,1 and 

ST2 \(-5i V 52) 4^ (N5 iVN 52) and /-{Sx V S 2 ) ^ {/‘Sx^ /■S 2 ) . 
STS \-5-t»-*^5 and /?*-5 - y^5 . 

ST4 If Sx^S 2 , then*^5i ^52 and /^Sx ^ /S 2 . 

The axiom STl formalizes the constant presence of 1 in terms of the 
transition formulas. ST2 and STS certify the distributivity of and ^over 
disjunction and negation. ST4 defines the monotonicity of and 
With this group of axioms, we can prove the following theorem. 

Theorem 9.1 

1. - 1^0 and ->>^0. 

2. \{SxAS 2 ) ^ (\SxA\S 2 ) and y^{Sx A S 2 ) ^ C^5iAy?*52). 

Proof. We present here proofs of -i 0 and of the distributivity of over 
conjunction only. A proof of the first case is 

-NO 

ST4 
Nl STS 
<t»Nl PL 

true STl, 

and a proof of the second case is 

N(5iA52) 

V- 52 ) ST4 

<4>-N(-5iV-52) STS 
44^-(N-5iVN-52) ST2 
^-(-N5iV-N52) STS 
^\SxA\S2 PL. 



□ 

A similar propositional calculus for \ 5 and ^ 5 can be derived from 
STl - ST4. 



Theorem 9.2 

1 . \l<t^(^=.0) and 7'14^(^ = 0). 

2 . — \0 and — ^0 . 

3. \(5i V52)<t»(\5iV\52) and /(5i V S 2 ) 4^ (/SiV /S 2 ) . 

4. \-5 44>({£ = 0)A-\5) and /'-5 ((^ = 0) A - /^5) . 

5. \(5iA52)4^(\5iA\52) and /'{Sx A S 2 ) ^ {^SxA ^ 82 ) ■ 

6 . IfSx => 82 , then \8x =^\82 and /'8x ^^ 82 . 
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Proof. We present proofs of two of these assertions only. 

The formula \{Si V S 2 ) ^ {\Si\/ \S 2 ) is proved as follows: 

\(5i V52) 

^(i = 0)A\(SiVS2) Def(\) 

<^{£ = 0)A(\SiW\S2) ST2 
^\5iV\S 2 Def(\). 

The formula \-<5 ^ {{£ = 0) A \S) is proved as follows: 







(£ = 0)A\-5 


Def(\) 


■0 (^ = 0) A 


ST3 


^ (^ = 0)A(^(€ = 0)V^\5) 


PL 




PL 




Def(\) 



□ 



We can also derive a propositional calculus for IS, US and TS. 

Theorem 9.3 

1. Completeness and Exclusiveness 

itSV iSVTSW US) ^ {£ = 0) and 

A *'S ) , for *, G {t, T ) -J-} and * ^ 

2. Constant One 

-itl, T1<^(^ = 0) and -^11. 

3. Constant Zero 

^tO, -’lO, -iTD and 1D^{£ = 0). 

Disjunction 

t(5i V 52 ) ^ iitSiA tS 2 ) V it Si A US 2 ) V (^lA tS 2 )) , 

|(5i V 52 ) ^ ((;5iA iS 2 ) V iiSi A US 2 ) V (i^iA IS 2 )) , 

T(5i V 52 ) 4:^ (T5i V TS 2 V iiSiA 152) V (t5i A |52)) and 
Jj(5i V S 2 ) ^ (-L5i a J-52). 

5. Negation 

t5<t^J^-i5, >1.5 “'5', T5 _L-i5 and AJS^T-^S. 

6. Conjunction 

t(5i A 52 ) ((t^iA t^2) V (t5i A T52) V (T5iA |52)) , 

i(5i A 52 ) (a5iA ;52) V 45i A T52) V (T5iA ^52)) , 

T(5i A S 2 ) ^ (T5i A T52) and 

l(Si A S 2 ) <=> {USi V ^2 V (t5iA 152) V 45iA 1 ^ 2 )) • 

7. Congruence 

If Si ^ S 2 , then *5i *52, where * G {t, >1, T, _L}. 
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Proof. We present only the following proofs. 

Proof of -(t5A 4,5): 

|5A4,5 

\ -.5A SA \ 5A -5 Def(t, 4) 

^ \(-^5a5)A /'(5A-5) TH9.2(5) 

\0A /'O TH9.2(6) 

false TH9.2(2). 

Proof of -1 tl: 

tl 

44>-(\0A/'l) Def(t) 

V -./I PL 

true TH9.2(2). 

To prove J.0 O (£ = 0), we use the definition of J. and Theorem 9.2(1) 
-LO (\1A/'1) £ = 0. 

Proof of t(5i A 52) ^ ((t5iA f52) V (t5i A T52) V (T5i A |52)): 



t(5iA52) 

\ -(5i A 52)A (5i A 52) Def(t) 

4^>\(-5i V -52)A/'(5i A52) TH9.2(6) 

(\-5i V \-52)A /'5 iA ^52 TH9.2(3)(5) 

^(\-'5iA/'5iA^52) 

V(\-52A/'5iA/'52) PL 

4^(t5iA/'52)V(t52A/^5i) Def(t) 

(t5iA /'52A\(52 V-52)) 

V(t52A^5iA\(5i V-5i)) TH9.2(6)(1) 

(t5iA ^52 A (\52V \-52)) 

V(t52A/5i A(\5iV\-5i)) TH9.2(3) 



(t5i A ((/52A \52) V (/^52A \-52))) 
V(t52A((/5iA\5i)V(7'5iA\-5i))) PL 
^ (t5i A (T52V t52)) V (t52 A (T5i V t5i)) Def(t, T) 
^ (t5iA t52) V (t5i A T52) V (T5iA t52) PL. 

Proof of f5 <^4-~'5: 
t5 

4»\-5A/^5 Def(D 
\-.5A /'--n5 TH9.2(6) 

4--'5 Def(i). 



We are ready to prove three of the statements made in Sect. 9.2. 
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The statement 



if Si -52, then iiSi A f52) ^ (\5i A ^ 82 ) 
is proved as follows: 

;5iAt52 

4^\5i A/^-5i A \-52A^52 Defat) 

\(5i A - 52 ) A /^(-5i A 52 ) TH9.2(5) 

^ \5i A /^S 2 TH9.2(6), {Si ^ ^ 82 ). 

The formula 



t“i(Ini V In 2 ) (aini A tln 2 ) V a^^^i ^ -LIn 2 ) V (_LIniA tlu 2 )) 
is proved by 

t-(Ini V In 2 ) 

Vlu2) TH9.3(5) 

(tlniA |In 2 ) V {ilni A _LIn 2 ) V (_LIriiA ^ 1 ^ 2 ) TH9.3(4). 

The formula 



t-(Ini V In 2 ) ((tlniA tln 2 ) V (tini A _LIn 2 ) V (_LIniA tln 2 )) 
is proved by 

t-(Ini V In2) 

^t(Ini Vln2) TH9.3(5) 

(tlniA tln 2 ) V (tini A _LIn 2 ) V (J_IniA tln 2 ) TH9.3(4). 



9.3.2 Proof System: Part II 

The second group of axioms consists of two axioms to reason about the 
transition formulas with respect to the chop modality: 

N1 N^5 (\5^true) and /^S ^ (true^ /^S). 

N2 {{£ >0)^ \S) ^ (true^[5]|) and (/'5^(^ > 0)) {^SJ ""true). 

The axiom N1 expresses the assertion that the truth of 5 over an 
interval is determined by \ 5 at the beginning point of the interval, and 
that the truth of over an interval is determined by 5 at the ending 
point of the interval. N2 formalizes the assertion that \5 or S holds at 
a point iff there exists a left or right neighborhood, respectively, of the point 
where 5 takes the value 1 constantly. 

The following theorem can help us to understand these two axioms. 
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Theorem 9.4 

1. If^S or /^S holds in a prefix or suffix ^ respectively, of an interval, it 
will hold in the interval: 

(\S "^true) ^ and (true ^ y^5) ^5 . 

2. If \^S or holds in an interval, it will hold in any prefix or suffix, 
respectively, of the interval: 

-i^-i5"^true) and => -'(true'^ >^->5) . 

3. or holds in an interval iff there exists a left or right neighborhood 
of the beginning or ending point, respectively, of the interval where S takes 
the value 1 constantly. That is, for any r > 0, 

{{£ = r)"" \S) (((£ = r) A (true 5])) ^^true) 



and 



{/^S^{£ = r)) ^ (true^((^ = r) A ([5]| '^true))) . 

Proof. We sketch proofs below. Proof of ^S^true) \.S: 

*V5"^true 
\ 5"^ truest rue N1 
\S ^true M 

=>\s m. 



Proof of*V,5 => ^true): 



*^*5 A (S.-'S ""'true) 

(\ 5"^ true) A (\-i5 true ^ true) 
=> (\5A\-5)^true 
false ^true 
false 



N1 

IL17 

STS 

IL13. 



Proof of ((£ = r) ""^5) (((£ = r) A (true^[5]|)) ""true): 



{£ = r)- \S 

^ {£ = r)-\S^tvue N1 

4^ ((£ = r) A true^ |f5]l) '"true N2. 



□ 

From N2, we can establish a theorem expressing the relationship between 
a state S and the formulas fS, 4' *5, T5 and US. 
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Theorem 9.5 For any r > 0: 

1, ((£ = r) "" > 0)) (((£ = r) A (true'^[-'5]|)) ^true) . 

2. ({i = r) \.S '^ {^ > 0)) (((£ = r) A (true "" |j’5]|)) ^true) . 

S. ((£ = r) ^TS""(£ > 0)) (((£ = r) A (true fS]!)) ^true) . 

4 . {{£ = r)^lJS^{£ > 0)) (((£ = r) A (true'^l’-iS])) '^true) . 

Proof. We sketch a proof of the first assertion only, as the rest can be proved 
similarly. 

(£ = r)- tS^(£>0) 

= -5 A y^S)-{£>0) Def(t) 

((£ = r) A (true^|’-'5]|)) ^[[5]| ^true N2. 



9.3.3 Soundness and Relative Completeness 

The proof system of DC, together with STl - ST4, N1 and N2, forms the 
state transition calculus considered here. We formulate here the theorems of 
the soundness and relative completeness of the state transition calculus, and 
sketch their proofs. 

Theorem 9.6 The state transition calculus is sound. 

Proof. The reasoning used in the proof of the soundness of DC (Theorem 3.2) 
can also be applied to the proof of this theorem, provided we can first prove 
that the additional axioms, STl - ST4, N1 and N2, are sound. The soundness 
of any axiom (designated (f)) of STl - STS, N1 and N2 can be formulated as 
the validity of (j). That is, for any interpretation X, value assignment V and 
interval [6, e], 

X,V,[6,e] ^ cl>. 

The soundness of ST4 is formulated as follows: if S\ => S 2 is valid in 
propositional logic, then for any interpretation X, value assignment V and 
interval [6, e], 

^,V,[b,e] \=\Si^\S 2 

and 

I,V,[b,e] |=y5i^y^52. 

The proof of the soundness of these six axioms and rules is trivial. How- 
ever, the soundness of ST2 and STS relies on the assumption of a finite 
variability of states in the interpretation X. From the finite variability of 5, 
we can conclude that for any point there must exist a left and a right neigh- 
borhood of the point such that in each of these neighborhoods Sj constantly 
has a value of either 1 or 0. We shall not present details of the proof here. 

□ 
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Theorem 9.7 The state transition calculus is relatively complete. 

Proof. We apply the same technique that was used in the proof of the relative 
completeness of DC (Theorem 5.1). 

To transform a formula (j) of I state variables of the state transition calculus 
into a formula of IL, we do the following: 

• select k temporal variables, where k = and 

• select 2k temporal propositional letters Xi, X 2 , . . . , and li, I 2 , • • • , 

We index these temporal propositional letters with the k equivalence classes 
of the state expressions of the I state variables appearing in 0. 

Let S be a state expression of the I state variables of (j). Then 

• the formula's. S' is transformed to and 

• the formula is transformed to Y^s]- 

The axioms STl - ST4, N1 and N2 are transformed accordingly. For 
example, STl is transformed into 

X[i] and , 

N1 is transformed into a set of formulas of the form 

^[S] (((^ = 0) A X(S]) ^true) and y[sj (true = 0) A Yjs])) , 

and ST4 is transformed into a set of formulas of the form 
^[Si] and y[si] ^ y[s 2 ] , 

where Si and S 2 range over the state expressions of the I state variables of 
0, and Si => S 2 holds in propositional logic. 

In order to follow the proof of Theorem 5.1, all lemmas and theorems 
established for Theorem 5.1 must be revised to conclude the necessary prop- 
erties of not only the selected temporal variables, but also the selected propo- 
sitional letters. We can therefore prove the relative completeness of the state 
transition calculus. However, the details of the proof are left to readers as an 
exercise. □ 



9.4 Example: Automaton 

This section presents, in the state transition calculus, a formal specification 
and verification of the refinement of the gas burner example shown as an 
automaton in Fig. 9.1. 




9.4 Example: Automaton 161 



9.4.1 Specification 

A formal specification of the automaton can be given by formulating proper- 
ties of its states, state transitions and events in the state transition calculus. 
The resulting formulas are considered nonlogical axioms to define Boolean 
state models of the behavior of the automaton. Let 

Idle, Purge, Ignite, Burn and Failure 

be the five state variables used to denote the corresponding states of the 
automaton. The formulas (referred to as Autol(a), etc. in Sect. 9.4.2) are the 
following. 

1. State Completeness and Exclusiveness 

(a) At any time, the automaton is in one of its five states: 

f ]| V [Idle V Purge V Ignite V Burn V Failure]| . 

(b) At any time, the automaton is in at most one of the five states: 

n V r A (^1 -‘52)1 , 

Sl^S2 

where Si and S 2 range over the set of the five state variables. 

2. Events and State Transitions 

(a) Four events: 

Heat On = (J^Idle A t Purge) 

Out 30 = (I Purge A t Ignite) 

DeFail = (4- (Ignite V Burn) A t Failure) 

Heat Off = (I Burn A tMle) . 

(b) Seven state transitions: 

I Idle t Purge 

4 . Purge flguite 

4 . Ignite => t(Purn V Failure) 

I Burn t(Idle V Failure) 

4 . Failure => ^Idle . 

3. Real-time Constraints 

(a) The event Out30 appears 30 seconds after the automaton enters 
Purge: 

(t Purge '^ (^ = 30)) (t Purge"" [Purge]! ^Out30) . 

(b) Treatment of a failure must be finished within one second: 



[Failure]] (^ < 1) • 
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The above three groups of formulas constitute a specification of the au- 
tomaton. Let Auto denote the set of all formulas in these three groups. To 
verify the refinement, a deduction 

Auto h Desi A Des 2 

must be established in the state transition calculus. This is done in the fol- 
lowing subsection. 

9.4.2 Verification 

Failure is the only state of the automaton in which gas is leaking. Thus, we 
can introduce Leak as corresponding to Failure: 

Leak = Failure. 

We present a lemma first. 

Lemma 9.1 For any state expression S, 

Proof. The proof is by induction using Theorem 3.5, and the induction hy- 
pothesis is 

R{X) = ^ (r51^^5^true-r-51). 

The base case h /?(|[ ]]) is established as follows: 

r5i^ri^r-5i 

IL18 

^ 3X > 0.((^ = x) A I SJ)- r-51 Def( [5] ) 

= a:) A [51)'^ 4,5'^f-n51 TH9.5(2) 

[51 |5 ^true [-5] L3. 

The inductive step is 

R{X) h i?([ 1 V ([51 -'X) V ([-.51 -X)) , 

where the formula i?(|[ "[ V ([5]] V ([[“'S'l ^X)) is: 

[51 -([ 1 V ([51 -X) V (h51 -X)) - [^51 
^ ([51 -45 -true- [-51). 

Since [51 -([ 1 V ([51 -X) V ([-51 -X)) -[-51 implies, by IL14, 

r51^[l^[-51 
V([51-([51 -X)-[-51) 

V([51-([-51-X)-[-51), 



it suffices (by PL) to prove the following three cases in order to establish the 
inductive step: 
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1. R(X) h i?(|[ 1): this is covered by the base case h i?(|* ]|). 

2. R(X) h R([S-I-X): 

[s]-[sj-x-[^s]i 

=> DC17 

^ [5] ^ 4- S' ^ true [-5] R(X). 

3. R(X) h i?([-.Sl^X): 

[s]i-hs]i-x-hs] 

=> r(u) 

|[5]| |5'^true^|[-i51 M. 

□ 

With this lemma, we can prove the following theorem. 

Theorem 9.8 

Auto h Desi A Des 2 , 
where 

Desi = □(([Leak'l ^ < 1) and 

Des 2 = □((I’Leak] ^[[-iLeak]| ^[Leak]) £ > 30) . 

Proof. The case Auto h Desi is established by using Auto3(b) and IL4. 

We sketch a deduction of 

Auto h Des 2 

in the following. 

[Leak'l ^ [->Leak]| ^ [Leak] 

^ [Leak'l ^ J.Leak ^ [-iLeak] ^ [Leak] TH9.5(2) 

=> [Leak'l tidle ^ [-tLeak] ^ [Leak] Auto2(b) 

=> (^ > 0) [Idle] "“'true [Leak] TH9.5(1) 

=> (^ > 0) "" [Idle]! '^true ^ [Leak A -ildle] Autol(b) 

=> (^ > 0) ^ J.Idle ^true ^ [ Leak] LM9.1 

=> (£ > 0) ^ t Purge '“'true [Leak] Auto2(b) 

=> true ^ t Purge ^ [Purge] '^true [Leak] TH9.5(1) 
true t Purge [Purge] 

true [Leak A ->Purge] Autol(b) 

true t Purge ^ [Purge] ^ 4^ Purge true LM9.1 
^ true ^ t Purge ^ [Purge] 

(4.PurgeA t Ignite) '“'true Auto2(b) 

true "" t Purge [Purge] ^OutSO '"true Auto2(a) 

^ > 30 Auto3(a). 



By introducing □ as in IL4, we can derive Des 2 from the conclusion obtained 
above. □ 
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10.1 Introduction 

In the Boolean state model, we assume state stability. That is, whenever 
a system enters a state, it will stay in the state throughout some period, 
although the length of the period can be arbitrarily small. Therefore, a state 
transition is a transition of a system from one stable state to another, and two 
consecutive state transitions must pass through an intermediate stable state 
which separates these two state transitions from each other. For example, let 

\SiAy^S 2 and \52A/^53 

be two consecutive state transitions of a system as shown in Fig. 10.1. The 
transition \5i A /^S 2 occurs at time t, and \^2 A S 3 occurs at {t-\- 5). 
They are separated by a period of presence of the intermediate state 52- The 
distance between them (i.e. the length of the presence period of 52 ) is J > 0. 

Si t S 2 t-\-S S 3 

1 I 

\SiA/'S2 ^ \S2A/'S3 

Fig. 10.1. Two transitions separated by a stable state 



As 5 can be arbitrarily small, one can ask the question of what could 
happen if S becomes zero. That is, what could happen if the transitions 
\5i A /^S 2 and \S 2 A /^Ss occur consecutively and also instantaneously. 

It is clear that, by compressing the period S of S 2 in Fig. 10.1 into a point, 
one can obtain the situation shown in Fig. 10.2, where (^ + 5) = ^ (i.e. S = 0), 
and Si holds in a left neighborhood of t and S 3 holds in a right neighborhood 
of t. In other words, we obtain a situation with a state transition from Si to 
S 3 at time t. 
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Si t Ss 

I 

\5i A^Ss 

Fig. 10.2. Effect of a superdense transition 



Therefore, it is interesting to allow the two consecutive state transitions 

\SiA^S 2 and \S 2 A /^Ss 

to happen instantaneously by assuming that the intermediate state 52 is 
unstable and invisible, the result beeing the state transition 

\5i A/53. 

These two consecutive and instantaneous state transitions are called su- 
perdense transitions. In general, a finite sequence of state transitions which 
takes place instantaneously will be called a superdense state transition. By 
superdense., we mean that even a time point has a dense structure, so that it 
can host a series of state transitions. 

The superdense state transition is not only a conceptual generalization of 
an ordinary state transition. It also has important applications to real-time 
systems. We present in the following subsection an application that motivates 
the introduction of superdense state transitions. 



10.1.1 Superdense Computation 

In a digital control system, there is always a piece of program, hosted in 
a computer, that acts as a controller. The program can periodically receive 
sampled outputs from a plant, and calculate and send control signals to the 
plant. The program may be written in an OCCAM-like language as a loop 
where the body has the form 

sensor?x; CAL(x, u); actuatorlu; waitT, 

where CAL(x, u) stands for a program segment, which decides the current 
control signal from the current sampled data x and the previous control 
signal u. T is the sampling period. 

Typically, the time spent in the calculation of control signals is negligi- 
ble compared with the sampling period T. So control engineers can com- 
fortably make the assumption that the calculation program (i.e. CAL(x,u)) 
takes no time, and hence the plant does not evolve during the calculation. 
Thus, CAL(x, u) becomes a sequence of statements which are executed one 
by one, but consume no time. The receiving and the sending (i.e. sensor?x 
and actuatorlu) in the program are separated from CAL(x, u), and, since 
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CAL(x,u) consumes no time, they can also happen consecutively and in- 
stantaneously, provided the partners (i.e. sensor and actuator) are willing to 
communicate. 

A computation of a sequence of operations which is assumed to be timeless 
is called a superdense computation. 

A superdense computation is in fact an abstraction of a real-time com- 
putation within a context with a grand time granularity. For instance, in the 
digital control system, the cycle time of the computer may be nanoseconds, 
while the sampling period of the plant may be seconds. In other words, the 
calculation (CAL(x,u)) and the communications (sensor?x and actuatorlu) 
may take microseconds or milliseconds, while the sampling period T may be 
seconds. A computation time with a fine time granularity is only negligible 
for computations that do not have infinite loops. Otherwise, the situation is 
known as the Zeno phenomenon or finite divergence [48]. 

Superdense computation also arises in the area of program refinement. 
One of the well-known algebraic laws for untimed programs is the combine 
law of assignments [129]. The combine law can allow one to conclude, for 
example, that the two consecutive assignments 

X := X -f 1; X := X -f 2 

are equivalent to the single assignment 

X X -h 3 . 

In order to retain the combine law for real-time programs, one may assume 
that the execution of an assignment takes no time. Otherwise, the execution 
time of two assignments may be twice the execution time of a single assign- 
ment, and it is hard to maintain the combine law. Under the assumption 
that assignments take no time, the following two consecutive assignments 
constitute a superdense computation: 

X := X -f 1; X := X 2 . 

A notion of superdense computation is adopted in Esterel [10] and state- 
charts [53] , and semantic models of superdense computation were introduced 
in [67, 73, 91]. In this chapter, we express superdense computation in DC by 
using superdense state transitions. 

A single step of a computation can be expressed as a state transition, and 
hence a superdense computation can be expressed as a formula of superdense 
state transitions. The reason is that the value of a program variable can be 
interpreted as a state. A real-valued variable x of a program can change its 
value during the execution of the program. One can interpret x as a function 
of time. 



X : Time M . 
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For V E M, the property 

X = V 

becomes a time-dependent property of x. 

It is reasonable to assume that the program is timely progressive^ and 
hence a program variable can only change its value finitely many times in 
any finite period. Thus, the property x = v is finitely variable, and can be 
taken as a Boolean state of the program. 

Let us use x = v as an overloaded notation to designate the program state 
which characterizes the property x = v. The assignment 

X x-h 1 

can then be expressed as a formula of state transitions 
\ (x = v) A Z' (x = V -h 1) , 

where we assume that the initial value of x before the assignment is v. This 
formula defines the condition that the assignment first inherits a value (v) of 
X from its predecessor in the left neighborhood, and then passes the new value 
(v -h 1) to its successor in the right neighborhood. Similarly, the assignment 

X := X -h 2 

can be expressed as 

\ (x = V -f- 1) A Z' (x = V -f- 3) 

if we assume that the initial value of x before the assignment is (v + 1). 

A superdense computation of the two consecutive assignments 

X := X -h 1; X := X -h 2 

assumes that the passing of a value of x from (x := x-h 1) to (x := x-h 2) takes 
no time. Thus, the intermediate state (x = v -h 1) of the program is unstable 
and invisible. The computation can then be expressed as a superdense state 
transition 

\ (X v) A (X = V -h 1) , 
followed by 

\ (x = V -h 1) A (x = V -h 3) . 

The result of these superdense state transitions is 
\ (x = v) A (x = V -f 3) , 
which expresses the assignment 
X := X -f 3 

under the assumption that the initial value of x before the assignment is v. 
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10.1.2 Superdense Chop 

The chop modality can chop a nonpoint interval into subintervals, but cannot 
chop a point. At a point, the chop modality degenerates into the conjunction 
connective. For example, 

((\5i A/52)^(\52 A/ 53 )) ^ ((\5i A/52)A(\52 A/ 53 )). 

Thus, with the chop modality, one can express two simultaneous state 
transitions at a time point, but cannot express two consecutive state transi- 
tions at a time point. 

In order to express superdense state transitions in DC, we need a new 
modality to introduce a dense structure into a point. The new modality is 
called the superdense chop and is denoted by •. It can map a time instant 
in a grand time space (called macro time in [73]) into a nonpoint interval in 
a fine time space (called micro time in [73]), so that an instant action (such 
as the value passing of x) in a grand time space can take some time in a fine 
time space, and hence an unstable intermediate state (such as x = v -h 1) of 
a superdense state transition in the grand time space can become stable in 
the fine time space. 

To explain the meaning of the superdense chop, let us consider two state 
transitions: {\ Si A S 2 ) and (\ S 2 A Z' S^). Combining them with the 
superdense chop, we obtain the formula 

(\5i A^52)*(\52 A^5s). 

Suppose that an interpretation of states, X, is given. Then we define the 
meaning of • by stipulating that this formula is satisfied by X at a point t 
iff there exists a refined interpretation of states (designated X'). In X', the 
point ^ of X is expanded into an interval [t^t + S] of X' (for some J > 0), such 
that X' satisfies (\5i A ZS 2 ) at time t and (\ S 2 A ZS 3 ) at time t + S, 
and the intermediate state S 2 holds stably throughout the interval {t^t -h (5), 
which links the two transitions in X'. This situation is sketched in Fig. 10.3. 



5i f 53 




Fig. 10.3. Refined interpretation for the superdense chop 
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In the above explanation, both X and V are interpretations of states, and 
the relation between these two interpretations is quite similar to the relation 
between the value assignments V and V with which we introduce semantics 
for quantification over a global variable. In [60] and [163], it is indicated 
that the superdense chop can be defined by the original chop if we allow 
quantification over a state variable. 

A formal calculus for superdense state transitions, called superdense state 
transition calculus^ is presented in Sect. 10.2. Using this calculus, we define in 
Sect. 10.3 a real-time semantics for an OCCAM-like language with superdense 
computations. 



10.2 Calculus for Superdense State Transitions 

10.2.1 Syntax 

The superdense state transition calculus contains durations of states, i.e. /5, 
as terms^ and transition formulas, i.e. and as atomic formulas. The 
conventional connectives and quantifiers are also adopted. However, this cal- 
culus contains the superdense chop modality, •, instead of the original chop 
modality, In other words, formulas of the superdense state transition cal- 
culus can be obtained from formulas of the state transition calculus presented 
in Chap. 9 by replacing with • and vice versa. 

In this section we shall use the fact that if (/> is a formula of the superdense 
state transition calculus, and (|>[^/^] is obtained from (j) by replacing • with 
then 4>[^/^\ is a formula of the state transition calculus. Furthermore, 
if (f) does not contain any transition formulas (i.e. 0), then 

becomes a formula of DC. 

10.2.2 Semantics 

The calculus retains the Boolean state model. Only the semantics of • need 
to be explained, as all the other semantic definitions remain as in Chap. 9. 

The semantics of 0 • V’ is as follows. Given an interpretation X, a value 
assignment V and an interval [b, e], 

I,V,[6,e] h 

iff there exist m G [&, e], (5 > 0 and X' such that 

X',V, [6, m] 1= (j) and X', V, [m + e -h ^] 1= '0, 

and for every state variable F, 

{ Px(t) for t <m 

Px{t - S) for t > (m-\- 5) 

Px> {m -h S/2) for m <t < (m + 6). 
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In the semantic definition, 

Px' {t) = Px> {m + S/2) (m < t < (m + S)) 

expresses the condition that every state variable P (and hence every state) has 
a constant value in the inserted interval (m, m-\-S). The intermediate, invisible 
value of F in a superdense state transition expressed by the superdense chop 
• is represented in the inserted interval (m,m -f 5). 

From the semantic definition of 0 • ^, we can prove that the formula 

is valid for any consistent state S (i.e. 5 is not equivalent to 0). 

Let X, V and [&, e] be an arbitrarily given interpretation, value assignment 
and interval. We establish 

I,V,[b,e] \=/^S»\S 

by letting m be an arbitrary point in [6, e], S be an arbitrary positive real 
number and X' be an interpretation obtained from X by inserting an interval 
(m, m S), such that all states have constant values in (m, m + 5), and 

Sx> (^) = 1 for m < t < {m S) . 

That is, state S can be taken as the intermediate state of the superdense 
state transition expressed by 

However, for any state 5, the formula 

is never satisfiable, since for any m and S, one cannot find a value of S in the 
interval (m,m + (5) inserted to obtain X' such that is satisfied in [&, m] 
and at the same time is satisfied in [m + 5, e + 5]. For example, if S is 

constant and equal to 1 in (m, m S) for X', then is satisfied by X', but 
is violated by X'. In other words, expresses an impossible 

superdense state transition, since no intermediate states exist for it. 



10.2.3 Proof System 

In this section, we present the axioms and rules of the superdense state tran- 
sition calculus. 

From the definition of •, it is obvious that • is associative, distributive 
(over V and 3) and monotone. Hence we have the following axioms. 



SDCl (01 • (02 • 03)) ^ ((01 • 02) • 0s) • 
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SDC2 Suppose x is not free in ij). 

V (f)2) • h) <=> ((01 • 0s) V (02 • 03)) . 

(03 • (01 V 02)) ((03 • 0l) V (03 • (/>2)) . 

{{3x.(l)) • 'Ip) ^ 3x.((p9'ip). 

{^p^3x,(p) ^ 3x.(0 •(/)). 

SDC3 If (02 03), then 

(01*02) (01*03) and (02*0l) (03*0l)- 

A state S can become an intermediate state to link the two formulas 
(0 A y^5) and (\S A 'ip) if 0 and 0 place no demands on the intermediate 
state. However, no intermediate states can link ^ S and -•S'. Hence, we 
introduce the following axioms. 

SDC4 If S is co'nsistent, 0 andN^^ 0, then 
((^ A/^5) • Alp)) (4>»ip). 



SDC5 



i/'s •\^S) ^ false. 

When (p, the formula (\S A 4>) merely places on a left neighborhood 
the requirement that S holds. The same requirement is placed by {’\S • (p). 
Thus, we have: 

SDC6 If then 

(\5 • 4>) ^ (\S A <P). 

Symmetrically, if (p, then 

i4>./S) O (cPA/S). 

The difference between • and disappears if we are not concerned with 
the transition formulas. 

SDC7 If <p, and 0[^/*] is provable in DC, then 0 is provable in the 

superdense state transition calculus. 

With SDC7 we can, for example, prove 

(true • true) ^ true , 

((/5 = ar) • (/5 = y)) fS = {x + y) [x, y>Q), and 

(r^i-r^i) [51, 
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since the above three formulas contain no occurrences or and 
(true ^ true) true, 

((fs = x)^(fs = y)) ^ fs = (x + y) (x,y>0), and 

(fsi-rsi) r^i 

are provable in DC. 

The semantics of the transition formulas *^5 and 5 is as given in the 
state transition calculus described in Chap. 9. Therefore, the axioms STl - 
ST4 can also be adopted here. However, axioms N1 and N2 cannot be used in 
the superdense state transition calculus, since they are expressed in terms of 
the original chop, In fact, SDC4 - SDC6 replace N1 and N2 in the context 
of •. 

We have the result that SDCl - SDC7, together with STl - ST4, consti- 
tute the superdense state transition calculus. 



10.2.4 Theorems 

We prove the following theorems. In the proofs, predicate calculus is tacitly 
assumed. 

Theorem 10.1 

(false • (/>) false and {(f) • false) => false . 

Proof. We present a proof for the first case, 
false • (f) 

=> false • true SDC3 
false SDC7. 

□ 

Theorem 10.2 

(NSi .y^52) ^ (\5i A ^52). 

Proof. 

^ {\Si • true) • (true • /^S2) SDC6, SDC3 
^ {{\Si • true) • true) • /^S2 SDCl 
^ i\Si • (true • true)) A ^82 SDCl, SDC6, SDC3 
(\Si A (true • true)) A ^82 SDC6 
^ A>^52 SDC7. 



□ 
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Corollary 10.1 
^5 •true) 

and 

(true • y^S) ^ /^S . 

Proof. The first part of the corollary can be derived by letting Si be S and 
S 2 be 1 in Theorem 10.2. The second part can be derived similarly. □ 



Theorem 10.3 If (Si A S 2 ) is consistent, (j) and t/’, then 

({cf>AySi)»ISS 2 AV>)) 

Proof. 

(<AAy^5i).(\52 At/>) 

{(f> A y^{{Si A S 2 ) {Si A -> 82 ))) • (^82 A V’) 

^ {<f>Ay{SiAS 2 ))»(\S 2 A if) 

V i{ 4 > A y^{Si A ^82)) •(\S2 AiP)) 

^ ((/> Ay^(5i A 52 )) • ^^2 Alp) 

^ i<P A/"(5i A 52 )) • (\iiS2 A 5i) V (52 A -5i)) A ^P) 

^ (<A Ay?'(5iA52)).(\(52A5i)AV') 

V {{cP A y^{Si A 82)) •(\iS2 A ^Si) A i>)) 

O (.^ Ay?*(5i A52)).(N(52A5 i)AV') 

(p»ip 



Corollary 10.2 If (82 A S 3 ) is consistent, then 

((\5i A>»52).(N53 a /'S i)) ^ (\5i Ay*54). 

Proof. Prom Theorem 10.3, we can derive 

((N5i Ay«52).(\53 A>»54)) ^ (\Si»/'Si). 

Therefore, by Theorem 10.2, we can obtain the required conclusion. □ 



ST4, SDC3 

ST2,SDC2 
ST4, SDC3, SDC5 
ST4, SDC3 

ST2, SDC2 
ST4, SDC3, SDC5 
SDC4. 

□ 



Theorem 10.4 If (pi,(p 2 and rpi,ip 2 , then 

{{\Sf<Pl) A {\S2*<P2 ))^{\{SlAS2 )*{(plA<P2)). 

{{^Pi»/Si) A ii> 2 */S 2 )) 4»((t/’iAV’2) •/'(5iA52)). 

Proof. We prove the first equivalence only. 

(\5i.<^i) A (\52..^2) 

^ l!\Si A <pi) A (^82 A (P 2 ) SDC6 
4^^ \(Si A 82 ) A {<Pi A (p 2 ) TH9.1(2) 

^ \(5i A52 )*(<^iA<^2) SDC6. 



□ 
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10.3 Real-Time Semantics 

In this section, an OCCAM-like notation and a real-time semantics of the 
notation are presented, where assignment statements and message passing of 
communications are assumed to be timeless actions. 

10.3.1 Program Notation 

Let T G ( 0 , oo) stand for a time delay, x, y for program variables, c, d for 
channels, (E) for arithmetical expressions of program variables, and B for 
Boolean expressions of program variables. The syntax of the notation is given 
by the following grammar: 

5 X := (E) | c!(E) | c?x | wait T\S',S\B-^S 

I (c?x — > <S|d?y -> S) I (c?x -> 5[|wait T S) \ fiY.S 
V::^S\ {V II V) , 

where S stands for sequential processes, and V for parallel processes. The 
informal meanings of the statements can be given as follows. 

X := (E) assigns the value of (E) to x. 

c!(E) sends the value of (E) on channel c. 

c?x receives a message from channel c, and assigns it to x. 

wait T delays the program for T (T > 0 ) time units. 

Si ; ^2 is the sequential composition of S\ and ^2 . 

(B -> 5 ) behaves like S if the values of the program variables satisfy B. 
Otherwise, B is false, and the process terminates immediately. 

(c?x -> <Si[|d?y -> 52) is a choice. If a communication on c can be completed 
earlier than one on d, the first branch Si is chosen; similarly, if a com- 
munication on d can be completed earlier than one on c, then the second 
branch ^2 is chosen. If these two communications can be completed at 
the same time, the choice is random. 

(c?x 5i||wait T — > 52) is also a choice. If a communication on c can be 
completed within T time units, the first branch is chosen. Otherwise, the 
second branch is chosen. 

fjY.S is a conventional recursion, where Y is the name of the recursion 
process and Y may occur in S} We exclude finite divergent behavior of 
processes by assuming that any occurrence of Y in <S is guarded by a 
wait statement, so that a process will not be engaged in infinitely many 
assignments or communications in a finite period. 

V allows a parallel system constructed from sequential processes. Shared 
variables are excluded in a parallel system. The only interactions be- 
tween sequential processes in a parallel system are communications over 
channels. Each channel is unidirectional and owned by two sequential 
processes, one at each end. 

^ We shall not elaborate here on the details of the syntax required to build a 
recursion. 




176 10. Superdense State Transitions 



10.3.2 Program States 

In order to model the behavior of real-time programs, program states are 
introduced into the superdense state transition calculus as state variables. 
We consider the following set of program and channel variables: 

VV = {x, y, z, c, d, c!, d!, c?, d?, . . .} , 



where 

X, y and z, called program variables, record the values of variables of a pro- 
gram; 

c and d, called trace variables,^ record communication histories over indi- 
vidual channels; 

c! and d! record readiness to send messages over channels; and 
c? and d? record readiness to receive messages over channels. 

The variables c!,d!,c? and d? are called readiness variables. 

Let the real numbers M be the value domain of the program variables. 
The domain of the communication traces of channels is the set of the finite 
sequence of the real numbers 

Trace = (J E" . 

n>0 



When n 0, MP' = {()}, where {) stands for the empty sequence. Let the 
truth values {0, 1} be the domain of channel readiness. 

Let us extend the set of global variables, QV, so that we have 

1. V, vi , V 2 , . . . as global variables to range over E, and 

2. h,hi,h 2 , . . . as global variables to range over Trace. 

Accordingly, we extend the set of function symbols to include the con- 
catenation operator 

"" : Trace x Trace Trace , 

with the definition 

(Ul , tt2 5 • • • 5 ^m) (^1 5 ^2? • • • 5 ^n) — 5 U25 • • • ? ? ^2? • • • ? ^m) • 

The operator ^ is associative, and has the empty sequence, (), as the left and 
also the right unit. 

^ We can introduce a trace variable to record the communication histories of all 
channels of a process, if ordering among communications over different channels 
is interesting. 
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State variables SV are generated from the program and channel variables 
W by the following rules: 

1. If X is a program variable, and (E) is an arithmetical expression of global 
variables v, vi, V 2 , . . . , then (x = (E)) is a state variable. 

2. If c is a trace variable and tr is a trace expression constructed, by us- 
ing from global variables h,hi,h 2 , . . . and arithmetical expressions of 
V, vi , V 2 , . . . , then (c = tr) is a state variable. 

3. Any readiness variable is a state variable. 

State expressions (also simply called states) are generated from state vari- 
ables by the propositional connectives -i and V, and also the quantifier 3, since 
state expressions may contain global variables (e.g. v and h). We can say the 
following: 

1. 0, 1 and every state variable are states. 

2. If S and S' are states, so are -^S, 5 V 5', 3v.S and 3h.5. 

By the definition above, a state is in fact a formula of the program and channel 
variables and of the global variables such as v and h, in a first-order logic 
with equality. In a formula, quantifiers are applied only to global variables. 
We shall use 

5(x, c, c!,c?, v,h) 

to represent a state S which contains the program and channel variables 
X, c, c! and c?, and free occurrences of v and h. 

An interpretation of a state is determined by an interpretation of the pro- 
gram and channel variables and a value assignment for those global variables 
which occur (freely) in the state. 

We also use X to stand for an interpretation of the program and channel 
variables, and use xj, cj, c!j and c?j for the interpretations assigned by X 
to X, c, c! and c?. We assume that 

xj : Time M 
cx : Time Trace 
c!j : Time -> {0, 1} 
c?x : Time -> {0, 1} , 

and that they are finitely variable for any interpretation X. That is, they 
cannot change their values infinitely often in a finite period. X also assigns 
interpretations to propositional letters, as explained in Chaps. 2 and 3. 

For a value assignment V, it is assumed that 

V(v) G E and V(h) G Trace . 

Of course, V also assigns values to other global variables, as explained in 
Chaps. 2 and 3. 
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Given X and V, the value of a state at any time is determined. Let S be 
a state written as 5(x, c, c!, c?, v, h), and let t G Time. We define S to have 
value 1 at ^ under X and V, iff 

5(xi(f), exit), c\i{t), c?i(i), V(v), V(h)) 

is valid in a first-order logic with equality. 

For example, if, for a given X and V, we have xx(^) = 2 and V(v) = 3, 
then the state (x = v) has value 0 at ^ under X and V, since 

xz(i) # V(v) . 

However, the state 3v.(x = v) has value 1 at ^ under X and V, since we can 
construct a value assignment V which is v-equivalent to V and has V'(v) = 2, 
so that 

xi(i) = V'(v) . 

In fact, the state 3v.(x — v) has value 1 at any time under any interpre- 
tation and value assignment, since for any interpretation X, value assignment 
V and time t one can always find a value assignment V which is v-equivalent 
to V and has 

V'(v) = yii{t) . 

As we have introduced first-order quantifications in state expressions, we 
need an additional axiom concerning the distributivity of and y^over the 
existential quantifier: 

ST5 



^3x.S ^ 3x.\^S and ^3x.S ^ 3x.j^S, 

where x stands for any global variable. 

The following theorem is proved using ST5 and STS. 

Theorem 10.5 

\Vx.5 ^ Vx.\5 and y^Vx.5 ^ ^x./^S. 

The formula Cnt(x), defined by 

Cnt(x) = 3v.(\(x =r v) A /^(x = v)) , 

expresses the continuity of x at a point and acts as a unit of • for program 
states of X. 
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Theorem 10.6 

(Cnt(x) • ^(x = vi) A^(x = V 2 ))) f\.(x = vi) Ay^(x = V 2 )) . 

(^(x = Vi) Ay?*(x = V 2 ))»Cnt(x)) <!^ r<(x = Vi) A>*(x = V 2 )) . 
(Cnt(x) • [x = vl) [x = v]|. 

([x = vll •Cnt(x)) fx = v]. 

Proof. We merely sketch the proofs here. Observe first that if (v = vi), then 

(\(x = v) A /(x = v)) • (\(x = Vi)A/?*(x = V 2 )) 

4 ^ (\(x = v) A/^(x = v)) • ^(x = Vl) Ay^(x = V 2 )) Def(’^/) 

44- \ (x = v) • ^(x = V 2 ) SDC4 

44- '\(x = v) A/^(x = V 2 ) SDC6. 

Observe next that if (v ^ vi), then by SDC5, the definition of /^and SDC3, 

((\(x = v) A /'(x = v)) • fv(x = Vl) A/^(x = V 2 ))) 44^ false. 



The first two parts of Theorem 10.6 follow from the above two observations. 
A proof of the last two parts can be given as follows: 



Cnt(x) • fx = v| 

44 3v'.(\(x = v')A(£ = 0)Ay?*(x = v')) 
• i\l A [x = v]) 

44 3v'.((\(x = v') A (^ = 0)Ay^(x = v')) 
• f\l A |[x = v]D) 

44 3v'.(^(x = v') A (^ = 0)) • fx = vl) 

44 3v.^(x = v) A (f = 0)) • fx = v] 

44 f\3v.(x = v) A (f = 0)) • fx = v]l 

44 (^1 A (£ = 0)) • fx = v] 

44 (^ = 0).fx = vl 
44 fx = v] 



Def(^,STl 

SDC2 

TH10.3 

SDC2 

ST5 

(3v.(x = v)) 1 

STl 

SDC7. 



We can define 

Cnt(c) = 3h.(\(c = h)A/'(c = h)) 
similarly and prove the following theorem. 



□ 



Theorem 10.7 

(Cnt(c) • ^(c = hi) A/?*(c = h 2 ))) 44 ^(c = hi) A >"(c = h 2 )) . 
((\(c = hi) Ay^(x = h 2 ))*Cnt(c)) 44 ^(c = hi) A >^(c = h 2 )) . 
(Cnt(c) • fc = hi) 44 fc = h]. 

(fc = hi •Cnt(c)) 44 fc = hl. 
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10.3.3 Program Semantics 

We shall use a technique given in [56], where the semantics of each process 
V is simultaneously defined by two formulas, fPjter and \P\ These formu- 
las define the terminating behavior and the entire behavior, respectively, of 
V. The formula |P] is prefix-closed. By prefix-closed^ we mean that for any 
interpretation X, value assignment V and interval [&, e], if 

J,V,[6,e] [P], 

then for any c, where 6 < c < e, 

I,V,[b,c] ^ [PI. 



As indicated before, our aim is to show the expressive power of the super- 
dense state transition calculus, so we shall not concern ourselves with other 
details, for example, a proof of the continuity of the semantics of all program 
constructors, and hence the existence of a fixed point of a recursion. 

Furthermore, for simplicity, we also assume that a process has only one 
variable, say x or y, and two channels, say c and d, over which the process 
may communicate. It should not be difficult to generalize the semantics to 
more realistic cases by introducing process alphabets. 

For each process considered below, we state its semantics by defining the 
communications on its channels (c and d) and the evaluation of its variable 
(x or y). 



Sequential Process: x := (E) 

The assignment terminates immediately. It inherits a value of x from its left 
neighborhood and passes the changed value to its right neighborhood. The 
communication histories of c and d do not change: 

|x := (E)]ter = 3v.(\(x = v)A/'(x= (E)(v))) ACnt(c)ACnt(d) 
[x:=(E)l = [x:=(E)lter, 

where (E) (v) is the expression obtained from (E) by replacing x with v. 



Sequential Process: c?x 

We assume that this process can input messages from d also. As soon as this 
process synchronizes with its partner, it will receive a message, update the 
communication history of channel c and assign the message to x instantly. 
However, it may wait forever if its partner refuses to send. The communication 
history of d does not change during the execution of c?x: 
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[c?x]jer = 3hi,h2.(SynCi(hi,h2) • 3v.Commi(hi,h2,v)) 
[c?x] = 3hi,h2.Synci(/ii,/i2) V [c?x|ter , 

where 



Synci(hi,h2) 



*^((0 = hi) A (d = h2)) 

A |[c? A -id? A -ic! A (c = hi) A (d = h2)]|* 



and 



Commi(hi,h2, v) = /'((c = hi^ v) A (d = h2) A (x = v)) . 

In the formula Synci(hi,h2) and henceforth, we use the abbreviation 

[51* = rivr5i. 

The formula Synci(hi,h2) therefore defines the behavior of the process 
while it is waiting to receive a value from channel c. The process first inherits 
the values (hi and h2) of the histories of channels c and d, and keeps the 
readiness variable c? at 1 as long as its partner does not engage in communi- 
cation (i.e. c! = 0). During the waiting period (if any), the process will keep 
the channel histories of c and d constant, so that no communications over c 
and d are possible. Note that Synci deliberately avoids specifying the value 
of X in the waiting period, since it follows the assumption that only the initial 
and terminating values of a program variable are observable. The following 
definitions of Sync2, SynCg, Waiti and Wait2 follow the same assumption. 

The formula Commi(hi, h2, v) describes the time instant when v is re- 
ceived over channel c and assigned to x. Note that the trace of c is changed, 
while the trace of d is kept constant. 

Sequential Process: c!(E) 

We assume that this process has y as its program variable and that it outputs 
messages over d. The semantics is described in a way similar to c?x: 

[c!(E)]ter = 3hi,h2,v. (Sync2(hi,h2,v) • Comm2(hi,h2,v)) 

[c!{E)l = 3hi,h2,v. Sync2(hi,h2,v) V [c!(E)]ter , 

where 



Sync2(hi,h2,v) 



•V((c = hi)A(d = h2)A(y = v)) 

A [c! A -id! A -ic? A (c = hi) A (d = h2)]|* 



and 



Comm2(hi,h2,v) = /'((c = hr (E)(v)) A (d = h2) A (y = v)) . 
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Sequential Process: wait T 

We assume that this process has x as its program variable and can input 
messages from both c and d. The process always terminates, and nothing 
happens to its program variable and channels until a time T > 0 has elapsed: 

[wait Titer = Waiti A{^ = T) 

( ( \((c = hi) A (d = h 2 ) A (x = v)) 

[waitTl = 3hi,h2,v. I A |'-.c^A-.d?A(c = hi)A(d = h 2 )l* 

y V [wait Titer 

where 

/ *^((c = hi) A (d = h 2 ) A (x = v)) \ 

Waiti = 3hi,h2,v. I A f->c? A -id? A (c = hi) A (d = h 2 )]|* 1 . 

\A/’*((c = hi) A (d = h 2 ) A (x = v)) / 

When wait T controls y and the outputs of c and d, the semantics of 

wait T can be defined by Wait 2 in a similar way: 

/ ’^((c = hi)A(d = h 2 ) A(y = v)) \ 

Wait 2 = 3hi,h2, V. I A [[-ic! A -id! A (c = hi) A (d = h 2 )"|* 1 . 

\A J)*((c = hi) A (d = h 2 ) A (y = v)) / 




Sequential Process: 4Si;^2 

The prefix of the behavior of S \ ; S 2 consists of the prefix of the behavior of 
Si and its terminating part, continued with <S 2 : 

lSi;S2jter = [‘^ijter • [<52|ter 

1^1 ; * 52 ] = I<Si| V (|<Si]ter • 1 ^ 2 }) • 

Now we can prove the combine law introduced in Sect. 10.1.1. Consider, 
for example, 

|x := X + l;x := X + 2] [x:=x + 3j. 

According to the semantic definitions of assignment and sequential composi- 
tion, the equivalence above can be transformed to the formula 

3v.(\ (x = v) A /^(x = V -h 1)) • 3v.(\ (x = v) A /^(x = V -h 2)) 

3v.(\ (x = v) A Z' (x = V -f 3)) . 
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This formula can be proved by showing that if v' = v -I- 1, then 

(\(x = v) A/'(x = v+l)).(\(x = v') A^(x = v' + 2)) 

\(x = v) A/'(x = v'-t2) COR10.2 

O \ (x = v) A (x = V -I- 3) v' - V -I- 1, 

and if v' 7 ^ V -H 1, then by (x = v -I- 1) -i(x = v') and SDC5, 

(\ (x = v) A (x = V -I- 1)) • (\ (x = v') A /'{x = v' + 2)) O- false . 

(In the above equations, “COR” means “Corollary”.) 

Hence, by SDC2, 

3v.(\(x = v) A /'(x = V -h 1)) • 3v.(\ (x = v) A /'(x = V -I- 2)) 

<t4> 3v,v'.((\(x = v) A /'(x = v-t-l))»(\(x = v') A/'(x = v'-|-2))) 
3v.(\ (x = v) A (x = V -h 3)) . 

Sequential Process: (B ^ <S) 

We assume that this process contains x and can input from c and d. 

|B^<S|ter = (\B A[5]ter) V((\-B)ACnt(c) ACnt(d)ACnt(x)) 

[B-t<Sl = CVB A|<S]) V((\-.B)ACnt(c)ACnt(d)ACnt(x)), 

where we assume that B can be expressed as a program state, i.e. a first-order 
formula of the program and channel variables. 



Sequential Process: (c?x — t <Si[|d?x —7 ^ 2 ) 



We assume that this process contains x and can input from c and d. 

|c?X ->■ 5i |]d?X -> S2\ter = 

3hi,h2.(Sync3(hi,h2) • 3v.Commi(hi, h 2 , v)) • |<Si](er 
V 3hi,h2.(SynC3(hi,h2) • 3v.Comm3(hi,h2,v)) • j[<S2]ter 



|c?x ^ 5i|]d?x ^ ^ 2 ] = 

3hi,h2, .Sync3(hi,h2) 

V 3hi,h2.(SynC3(hi,h2) • 3v.Commi(hi,h2, v)) 

V 3hi,h2.(Sync3(hi,h2) • 3v.Comm3(hi,h2, v)) 

V 3hi,h2.(Sync3(hi,h2) • 3v.Commi(hi,h2, v)) • [5i] 

V 3hi,h2.(Sync3(hi,h2) • 3v.Comm3(hi,h2, v)) • [^21 , 

where 



Sync3(hi,h2) 



and 



*^((0 = hi) A (d = h2)) 

A [c? A d? A -id A -id! A (c = hi) A (d = h 2 )]|* 



Comm 3 (hi,h 2 , v) = /'((c = hi) A (d = h 2 ^ v) A (x = v)) . 
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Sequential Process: (c?x — >► <SiJwait T — > ^2) 

We assume that this process contains x and can input from c and d. 

[c?X — ^ 5i|]wait T — > S 2 lter — 

3hi,h2.((SynCi(hi,h2) A {£ < T)) • 3v.Commi(hi, h 2 , v)) • [Sijter 

V 3hi,h2.(SynCi(hi,h2) A {£ = T)) • lS2]ter 

|c?x 5i[|wait T ^ 2 ] = 

3hi,h2.(SynCi(hi,h2) A{£< T)) 

V 3hi,h2.((Synci(hi,h2) A{£ < T)) • 3v.Commi(hi,h2, v)) 

V 3hi,h2.((SynCi(hi,h2) A {£ < T)) • 3v.Commi(hi,h2, v)) • [Sij 

V 3hi,h2.(Synci(hi,h2) A (i = T)) • [ 52 ! . 



Sequential Process: jjiY.S{Y) 

We write 5(Y) to denote that Y may occur in S. The terminating and 
complete behaviors of /jlY.S{Y) can be extracted from iterations of S. Let 
5*(Y) = S{S{- • • 5(Y) • • • )) denote the ith. iteration of S. We also introduce 
an auxiliary syntactical entity, called M, with the definition 

{Mjter = false 
[M] = false . 

M acts like a miracle^ from which one can derive any conclusion.^ The ter- 
minating and nonterminating behaviors of /xY.«S(Y) can be defined, using M 
and iterations of 5, by 

lfiY.S{Y)jter = 3n > 0.[5-(A^)lter 
[/iY.<S(Y)l = 3n>0.I5-(A^)|, 

where (3n > 0.(j)n) means an infinite disjunction of (/>i , (/>2 , • • • • We shall not 
discuss here how to define (3n > 0.0^) in DC. References [39, 41, 60, 108, 110] 
have introduced an operator fi into DC for this purpose. 



Parallel Process: (5i 1| ^ 2 ) 

We assume that Si contains the variable x and can input from c and d, and 
that ^2 contains y and can output to c and d. <Si and S 2 synchronize the 
communication histories of the channels c and d first, by initializing them 
as (), and then run in parallel. Any terminating process maintains its status 
(described by Waiti for S\ and by Wait 2 for ^ 2 ) until the other process also 
terminates. 

^ However, since we assume that any occurrence of Y in //Y.«S(Y) is guarded by a 
wait statement, the program notation can exclude Ai. 
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The semantics of («Si || <S 2 ) is 



[Si II S2}ter 

[•5l II ^2l 



/ \((c = 0)A(d=())) 

I A f (I<5l]ter A (|52l ter • Waits)) \ 

V {([‘filter • Waiti) A [52]ter) J 

\((c = ())A(d = ())) \ 

/ ([<SllA(|<S2lter*Wait2))\ 

A V((I<Si|ter*Waiti)A[52l) 

V \v (|<Si] A [.SsD // 



10.3.4 Program Specification 

We specify here the real-time properties of program termination and liveness. 
As we have discussed in Chap. 1, DC with contracting modalities is not 
able to formulate and prove unbounded liveness including termination. Only 
bounded liveness is discussed here. In Chap. 11, two expanding modalities 
are introduced, and unbounded liveness can therefore be treated there. 

Partial Correctness 

The partial correctness of a program V with Pre as its pre-condition and Post 
as its post-condition can be formulated as 

(*^Pre A IVjter) ^ /^Post , 

where Pre and Post are first-order formulas of program and trace variables. 

Bounded Termination 

The bounded termination of V with the pre-condition Pre holds if there exists 
r > 0 such that 

(*S.Pre A [P]) => <r) . 

Let Si (i = 1,2) be two sequential processes. 

Si : wait 2; c?x 

^2 : wait l;c!y;y :=y + l, 

where <Si has the variable x and input c?, and S 2 has the variable y and 
output c!. Let Vi be the parallel system 

Pi : S, II 52 . 
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We can expect that V\ always terminates in two time units, and y = x 4- 1 
holds when Vi terminates: 

(\lA|7?iI) => (^<2) 



and 



(\lAfPiJter) =»/^(y = X+l). 

Since M is true (STl), the termination properties can be simplified to: 

IVij => (e< 2 ) 



and 



IVllter =»>*(y = X + l). 

In order to prove the above properties of Vi , we first simplify the semantics 
of Pi; 



iPllter ^ 



3v. 



\((c = 0) A(y = v)) \ 

• (f-^c! A -c? A (c = ())1 A (f = 1)) 

• (|[c! A -.c? A (c = 0)1 A (^ = 1)) 
/((c = v) A (x = v) A (y = V + 1))/ 



{ \{(c = 0) A (y = v)) 

^'^•V.(r-c!A-c?A(c=0)l*A(f<l)) 

/ \((c = 0)A(y = v)) 

V 3v. j • (If-’c! A ->c? A (c = ())]1 A = 1)) 
\.(rc!A-.c?A(c=0)r A(£<1)), 

\V |Pl|ter 



\ 



/ 



We do not present the proof of the simplification here, since it is tedious 
to derive program properties directly from program semantics. 

With the simplified semantics of Vi , we can prove 



IPil ^ (f<2) 

as follows. By SDC3, we have 

/ (f = 0) • (£ < 1) 

[Pil ^ V ((^ = 0) . (^ = 1) . (f < 1)) 

Vv ((f = 0).(f = l).(£-l)) 
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Since the consequent part of the implication contains no occurrences of 
and we obtain, by replacing • with ^ in the consequent part of the 
implication, the following DC formula: 

(£ = 0)^(€<l) 

V ((^ = 0)^(^=1)^(^<1)) 

V ((^ = 0)-(^=l)-(^ = l)). 

Therefore, by use of SDC7, the conclusion 

iVij => (i<2) 

is easily proved using DC. 

The property 

[filter =^>^(y = X+l), 

can be derived easily from the simplified |Pi]ter, since 
[filter 

=> 3v. /^((c = 0) A (x = v) A (y = V + 1)) SDC6 
^ y^(y = x-h 1) Def(>^. 

Bounded Liveness 

A program is not deadlocked if the communication traces of the program are 
expandable. A hounded liveness can therefore be established by proving an 
upper bound on the time period in which the communication traces of the 
program remain constant. 

Let 7^ be a process which has channels c and d. V has r > 0 as its upper 
bound of liveness under the pre-condition Pre, if 

f\PreA[7^1) ^ ClsdcVhi,h 2 .([(c = hi) A (d = h 2 )l ^ < r)) , 

where Qs^c is the counterpart of □ in the context of the superdense chop, i.e. 

Osdc<f> = true • (p» true 
^sdc(t> = -'Osdc^<l>- 
Consider, for example, 

5s =/iY.<Si;Y 
Si= fjY.S2-,Y 



V2 = S3 II 54 . 



and 
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We can prove that V 2 always has 2 as an upper bound of liveness: 

(\IAIP 2 I) □,deVhi,h2.([(c = hi)A(d-h2)l ^(£<2)). 

The proof from the semantic definition of V 2 is too tedious to present 
here. Verification techniques with DC formulas as specifications have been 
investigated in [93]. This book will not cover this topic. 
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11.1 Introduction 

The chop-based interval temporal logics, such as ITL [43], IL and DC, are 
useful for the specification and verification of safety properties of real-time 
systems. In these logics, one can easily express properties such as 

• “if (j) holds for an interval, then there is a subinterval where ^ holds” , and 

• “if (f) holds for an interval, then '0 holds for all subintervals”. 

However, these logics cannot express (unbounded) liveness properties such 
as 

• “eventually there is an interval where 0 holds” , and 

• “0 will hold infinitely often in the future” . 

Surprisingly, these logics cannot express even state transitions, and hence 
we had to introduce extra atomic formulas (\S and j^S) in Chap. 9. 

The reason for this limitation is that the modality chop ^ , is a contracting 
modality, in the sense that the truth of 0^0 on the interval [6, e] depends 
only on subintervals of [&, ej: 

0^^0 holds on [6, e] 

iff there exists m G [6, e] such that 0 holds on [6, m] and 0 holds on [m, e]: 

0^0 

/ s 

b me 

I 1 1 

> /V ^ / 

0 0 

Hence, with one cannot access any interval outside a given reference 
interval. Therefore, formulas constructed from the connectives of first-order 
logic and the chop modality cannot express state transitions or liveness and 
fairness properties unless specific atomic formulas are introduced. 

When logics based on are used to specify hybrid systems, as done in 
[170] for example, notions of real analysis such as limits, continuity and differ- 
entiability, which are definable through the notion of a neighborhood, cannot 
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be formalized. The definition of a limit at a point must refer to neighborhood 
properties of the point, i.e. properties over superintervals of the point. 

To cope with this, an informal mathematical theory of real analysis was 
assumed in [170] and also in other languages for specifying hybrid systems, 
e.g. in hybrid statecharts [92], hybrid automata [4] and TLA“^ [76]. In 
order to improve the expressiveness of the chop-based interval temporal logic, 
people have introduced infinite intervals [97, 162] and expanding modalities 
[31, 103, 139, 148]. 

For example, [148] establishes a complete propositional calculus for three 
binary interval modalities: ^ (denoted by C in [148]), T and D. The last two 
are expanding in the sense that the truth value of formulas ^T-^ and on 
an interval [b, e] depends on intervals “outside” [b, e]: 

holds on [b, e] 

iff there exists c > e such that (j) holds on [e, c] and ijj holds on [b, c]: 



(/)T'0 (/) 







Hence, T refers to an expansion of a given interval in future time. 
Symmetrically, D refers to an expansion in past time: 

(pD'ip holds on [b, e] 

iff there exists a <b such that (f) holds on [a, b] and ^ holds on [a, e]: 



(j) (j)Dif; 




%l) 



Liveness can be specified using these modalities [139], and there is a com- 
plete axiomatization of a propositional modal logic of the three modalities 
C,T and D. Some of the axioms and rules of this logic are, however, compli- 
cated. 

Interval modalities are not necessarily binary. In [1], there is a list of thir- 
teen possible unary interval modalities, and in [44] it was shown that six of 
them are basic in the sense that the remaining unary modalities can be de- 
rived from the basic ones in propositional logic. Of the basic modalities, two 
are contracting, and four are expanding. If one confines oneself to proposi- 
tional logic, one cannot derive the chop from the thirteen unary modalities 
[147]. 
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In this chapter, we present a first-order interval logic [165], which has two 
simple expanding modalities: 

• Oi(j) reads “for some left neighborhood 0”, and 

• Oy.0 reads “for some right neighborhood”. 

They are defined as follows: 

• Oi(f) holds on [&, e] iff there exists (S > 0 such that 0 holds on [b — S,b], and 

• Orcf) holds on [&, e] iff there exists (5 > 0 such that (j) holds on [e, e + S]. 

With Oi and O^, one can reach left and right neighborhoods, respectively, 
of the beginning and ending points of an interval: 





When the interval is a point interval (i.e. 6 = e in the definitions), these 
neighborhoods can become the conventional left and right neighborhoods of 
a point, if we assume (5 > 0. We therefore call Oi and the left and right 
neighborhood modalities, respectively. They are expanding modalities, and 
very similar to (A) and (A) of the six basic modalities of [44]. 

This first-order interval logic is called neighborhood logic (abbreviated to 
NL). NL is adequate in the sense that the six basic unary modalities of [44] 
and the three binary modalities of [147] are expressible in NL. Similarly to 
the axiomatization of IL in [27], we can give a complete proof system for NL. 
This proof system is much more intuitive than the propositional calculus for 
the modalities C,T and D given in [147]. 

On the basis of NL, we can also establish a duration calculus which can 
express state transitions, and liveness and fairness properties. In [165], notions 
from real analysis are also expressed in an NL-based duration calculus. 



11.2 Syntax and Semantics 

The syntax and semantics of NL are similar to those of IL given in Chap. 2, 
except that the chop modality, , is replaced by the left and right neighbor- 
hood modalities, and O^. 

The set of formulas of NL is defined by the following syntax: 

(}) ::= X I G^{6i, . . . I I 0 V ^ I (3x)(j) 1 Oicj) [ Orcj) . 
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The semantics of the formulas Oic/) and 0^0 are given below: 

J, V, [b, e] 1= Oi(f) iff there exists S >0: J, V, [b - S,b] \= (j) 

V, [b, e] \= Or(j) iff there exists 5 > 0: J', V, [e, e H- 5] |= 0 , 

where J and V are the interpretation and value assignment, as defined in 
Chap. 2 for IL. 

The notions of validity and satisfiability are defined as for IL. 

We introduce the following abbreviations: 

Ofcj) = reads “for some left neighborhood of the end point: </>” 

= OiOr'ij^ reads “for some right neighborhood of the start point: 

The modalities Cf and are called the converses of the modalities and 
<>r^ respectively. 

The following semantical calculations show the meaning of Cf : 

iff J, V, [6, e] t= OrOi(t> 

iff there exists 6' > 0: J, V, [e, e + 5'] |= Oicj) 

iff there exists 8>Q:J,V,[e — 6,e]\=(j). 



b a e 

* 1-^3 where a — e — 8. 

0 



A similar calculation for establishes that 
J, V, [6, e] [= iff for some J > 0: J ,V ,\b,b 8] |= . 



0^0 

/ ^ 

b a e 

L ^ J * where a = b-\- 8. 

(t> 

We use the same conventions for precedence of the modalities introduced 
in this chapter as for IL (see Sect. 2.1). Hence, the unary modalities have 
the same precedence as □ and O, and the binary modalities have the same 
precedence as 
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Table 11.1. The six basic modalities listed in [44] 



Modality 


Intervals reachable from “reference interval” 


(A) 


Nonpoint right neighborhoods 


<A) 


Nonpoint left neighborhoods 


(B> 


Strict prefix intervals 


(B) 


Intervals which have the reference interval as a strict prefix 


(E> 


Strict suffix intervals 


(E) 


Intervals which have the reference interval as a strict suffix 



11.3 Adequacy of Neighborhood Modalities 

In this section, we show that the six basic unary interval modalities of [44] 
and the three binary interval modalities (i.e. C, T and D) of [148] can be 
defined in NL. The six basic modalities of [44] are denoted by the symbols 
listed in Table 11.1. 

The meaning of these six unary modalities and the three binary modalities 
T and D is given by: 

1. J , V, [6, e] 1= (A)0 iff there exists a > e : [e, a] [= 0. 

2. J, V, [b, e] 1= {A)(f) iff there exists a <b : J,V, [a, b] |= (j). 

3. J,V,[b,e]^{B)<i> 

iff there exists a such that b < a < e and J, V, [&, a] |= (f). 

4. V, [6, e] 1= (B)0 iff there exists a > e : J,V, [b, a] \= (j). 

5. J,V,[6,e]h(E)<^ 

iff there exists a such that b < a < e and J, V, [a, e] |= (f). 

6. J, V, [6, e] 1= {E)(f) iff there exists a < b : J [a, e] |= cf). 

7. J,V,[b,e]^c|>-^l; 

iff there exists m G [b, e] : J , V, [6, m] |= (/> and J, V, [m, e] |= -0. 

8. J,V,[6,e][=0T0 

iff there exists a> e : V, [e, a] [= 0 and J, V, [b, a] |= 0. 

9. J,V,[&,e] 

iff there exists a <b : V, [a, &] |= 0 and J, V, [a, e] |= 0. 
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Theorem 11.1 (Adequacy) The above nine modalities can he expressed in 
NL. 

Proof. The following equivalences establish the theorem. The validity of each 
of them can be easily concluded by using the semantic definitions. 

1. {A)(j) Or{{£ > 0) A (f)), 

where {£ > 0) guarantees that the right expansion is a nonpoint interval. 

2. (A)^ Oi{{£> 0) Aif), 

where {£ > 0) guarantees that the left expansion is a nonpoint interval. 

3. (B)0 3x.{{£ = x)AOi.{{£<x)A^)), 

where defines an interval that has the same beginning point as the 
original interval, and {£ < x) stipulates that the defined interval is a 
strict subinterval of the original interval. 

4. (B}0 3x.{{£ = x) A0^{{£ > x) A(f))). 

This equivalence is similar to that for (B)(/>, except that {£ > x) is used 
to stipulate a strict superinterval of the original interval. 

5. (E)0 3x.{{£ = x)AO^{{£<x)A(I>)). 

This equivalence is similar to that for (B)(/), except that here defines 
an interval that has the same ending point as the original interval. 

6. (E)0 ^ 3x.{{£ — x) A 0^{{£ > x) A (j))). 

This equivalence is similar to that for (E)0, except that {£ > x) is used 
to stipulate a strict superinterval of the original interval. 

7 . ^ 3x,y.{{£ = X + y) AO^j,{{£ = x) Act) AOr{{£ = y) A^f))), 
where {£ = x + y) stipulates that the two consecutive right expansions of 
lengths X and y exactly cover the original interval. 

8. (t>T'ip 3x,y.{{£ = x) AOr{{£ = y) Acj) AOf{{£ = X -\-y) A'l/)))), 
where {£ = x y) guarantees that the left expansion, O^, exactly covers 
the original interval and its right expansion, O^. 

9. 3x,y.{{£ = x) A Oi{{£ = y) A (/) A <>},{{£ = X y) A'lp))), 
where {£ = x 3- y) guarantees that the right expansion, <^, exactly covers 
the original interval and its left expansion, Oi. 



□ 



11.4 Proof System 

In this section we present the proof systems of NL and establish a set of 
theorems which can help us in understanding this logic. 
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11.4.1 Axioms and Rules 

In the following axiom and rule schemas, O is a parameter, which can be 
instantiated by either O/ or O^. As is usual when a schema is instantiated, 
the instantiation must be consistent for all occurrences of O in the schema. 
We adopt the abbreviations 

f Or, ifO = Oi 

\ O/, if O = O, 

-nO-n 

-n O - 

0 ^ = 0 0 . 



o = 
□ = 
□ = 



To formulate the axioms and inference rules, we need the notions of flex- 
ible and rigid terms and formulas, as introduced for IL. A term is called 
“flexible” if it contains temporal variables or A formula is called “flexi- 
ble” if it contains flexible terms or propositional letters. A term or formula 
is called “rigid” if it is not flexible. 

The axiom schemas of NL are: 

• Interval length is nonnegative: 

NLAl ^ > 0 . 



• Rigid formulas are not connected to intervals: 

NLA2 0(j) ^ (j), provided (j) is rigid. 

• A neighborhood can be of arbitrary length: 

NLA3 a: > 0 0{£ = x). 

• Neighborhood modalities can be distributed over disjunction and the exis- 
tential quant ifler: 



NLA4 



0{(l)\/i/j) ^ {0(1) V Oip ) . 
03x.(j) =>3x.O(f). 



• A neighborhood is determined by its length: 



NLA5 0{{£ = x)A(l)) n{{£ = x) (j)) . 



• Left and right neighborhoods of an interval always end and start, respec- 
tively, at the same point: 



NL A6 OO (t) ^ BO (j). 
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• Left neighborhoods of the ending point of an interval must be the same 
interval if they have the same length, and, similarly, right neighborhoods 
of the beginning point of an interval must be the same interval if they have 
the same length: 

NLA7 — x) => ^ C^((£ = a:) A (f ))) . 

• Two consecutive left or right expansions can be replaced by a single left or 
right expansion, if the latter expansion has a length equal to the sum of 
the lengths of the two former expansions: 



NLA8 


(x > 0 A 2/ > 0) 

(0((£ = x)A 0{{e = y)A 0(f>)) 


0{{i = X -i-y) AO(j))) . 


The rule schemas of NL are: 




NLM 


If 0 => i/j then 0(j) => Oif . 


(monotonicity) 


NLN 


If (f) then □(/) . 


(necessity) 


MP 


If (j) and 0 -0 then 0 . 


(modus ponens) 


G 


If 0 then (Va:)0. 


(generalization) 



The monotonicity and necessity rules are taken from modal logic, and the 
modus ponens and generalization rules are taken from first-order predicate 
logic. 

Similarly to IL, the proof system also contains axioms of first-order pred- 
icate logic with equality, including Q1 and Q2 with side-conditions: 

Q1 ^x.(j){x) ^ (j){6) / if 0 is free for x in (j){x)^ and \ 

Q2 m 3x.(j){x) y either 6 is rigid or (j){x) is modality free ) ’ 

where a formula is called modality free if it contains neither Oi nor Or. 

The proof system also has to include a first-order theory for the time and 
value domain, i.e. a first-order theory of real arithmetic. We shall discuss this 
issue in Sect. 11.5 with regard to the completeness of IL and NL. 

The notions of proof theorem and deduction are defined as for IL. 

The soundness of the NL proof system can be established by proving the 
soundness of every axiom and rule. In [93], NL is encoded in PVS and the 
soundness of NL proved. 

Theorem 11.2 (Soundness) 
if ^ (j) then |= (j). 
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11.4.2 Theorems 



We list and sketch proofs of a set of theorems which can help in understanding 
the calculus. 

The first deduction to be derived is the monotonicity of □: 

NLl 

Proof. 



1. (I)=> 'ip 

2 . - 1 ^ => -10 

3. O-ii/j => 0—i(f> 

4. => — i<C>“i'0 



assumption 

1., PL 

2., NLM 

3., PL. 



□ 



NL2 



O true . 

O false ^ false. 



Proof. Note that a reference interval is neither a left nor a right neighborhood 
of itself when its length is nonzero. That is, Oi and are not refiexive, and 
(j) 0(j) is not valid for an arbitrary formula (j). So the proof of the first part 

is a little tricky: 

1. (0>0) 0(^ = 0) NLA3 

2. 0{e = 0) (0>0),1.,MP 

3. Otrue NLM. 



The second part of NL2 is an instance of NLA2. □ 

The following theorem proves the truth of the inverse of NLA4. 

{0(f>V0^P) ^ o{(t>vij). 

3x.O(p => 03x4. 

Proof. Proof of the first part: 



l.(j> ^{4>Vtp) PL 

2.0<i>^0{4>yxp) l.,NLM 

3. PL 

4. Oip ^ 0{(j)V4) 3., NLM 



5.{04>V0ip) ^0{4>yrp) 2., 4., PL. 
Proof of the second part: 



1. 0 => 3x.(j) 

2. 0(j) ^ 03x.(f) 

3. 'ix.{0(j> => 03x.(j)) 

4. \/x.{0(j> => 03x.(j>) {3x.O(f> 

5. 3x.O(j) =J> 03x.(p 



PL 

1., NLM 

2., G 

03x.(f>) PL, X is not free in 03x.^ 

3., 4., MR 



□ 
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The modalities □ and O have the typical relations of modal logic. 
□0 0 (/) . 

NL4 (O0 A Oip) 0(0 A 

(□0 A D0) ^ □(0A0) . 

Proof. We present proofs of the first two parts only. 

Proof of the first part: 

□ 0 

^O(0V^0) NL2,PL 
=>“ O0 V O-»0 NLA4 
^ O0 Def(D),PL. 

Proof of the second part: 

O0 A D0 

=> O((0 A 0) V (0 A -«0)) A D0 PL,NLM 

=>(0(0 A 0) V 0(0 A -10)) A D0 NLA4 

=>(0(0 A 0) A n0) V (0-10 A n0) PL 

0(0 A 0) PL,Def(D). 



As explained above, O is not reflexive when the length of the reference 
interval is nonzero. However, O^ is reflexive, and the intervals reachable by 
O^ and O^ have the same ending and beginning points, respectively, as the 
reference interval. So we can prove the following theorem. 

(j) ^ 

NL5 0^00 O0. 

(O0 A 0^0) O(0A O 0) . 

Proof. Proof of the first part, where we assume that x is not free in 0: 



1. 


{£ = x) A (f) 




=> 


<y{{i = x) A(j)) 


NLA7 




O"0 


PL,NLM 


2. 


3x.{{£ = x) A 0) 






0^0 


l.,PL, X not free in <f(f> 


3. 


0 




=> 


{3x.{i = x)) A 0 


PL 


=> 


3x.{{£ =: x) A 0) PL, X not free in 0 


4. 


4> ^ <f(j) 


2., 3., PL. 
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Proof of the second part: 

The direction 4= follows from the first part when NLM is applied. The 
following proof establishes the direction 

1 . 0^00 
=^□0 00 
=^□□00 

2. 0^00 A -iO0 

^ □ O0 A O^-nO0 

^ <>(□ O0A O -iO0) 

^ O O (O0 A ->O0) 

=> false 

3. 0^00 ^ O0 

Proof of the third part: 

The direction follows from PL and NLM. The following proof estab- 
lishes the direction =>: 

O0 A 0^0 

^ O0 A □ O 0 NLA6, PL 
^0(0 A O0) NL4. 



NLA6 (0^0 = O O O) 
NLA6,NL1 

1., NL5(part 1),PL 
NL4 (O" = O O) 

NL4,NLM 

PL,NL2,NLM 

2., PL. 



□ 

From NLA6 and NLA7, we can derive more properties of combinations of 
O, O and □. 

o □ 0 => nn (j). 

NL6 ^ D0. 

(O0 A O □ 0) O(0A □ 0) . 

Proof. The proofs of these theorems are similar to those for NL5, and are 
omitted here. □ 

In order to understand the application of NLA8, we prove the following 
theorems. In the formulation of these theorems, we assume that {x > 0) and 

(y > 0). 
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1. {£ = x) 

2. {£ = x) 



{0{{£ = y) /\ 0(j)) ^ <f{{£ — x + y) ^ 0(j ))) , 

/ 0((£ = y)A<j>) \ 

i <y{{£ = x + y)A 0 ^((£ = y)A 4>)) I 



NL7 



3. 



'0{{£ = x) A 0((£ = y) A <p)) 

0((£ = X + y) A 0‘^{{£ = y) A (f>)) 



4. (v>x) => I ^ == 2 /) A 0(1))) 

\ 4^ 0((£ = y — x) A 0(t>) 



5. {y>x) ^ 



0^{{£ = x) A 0^{{£ = y) A (f>)) 



0{{£ = y - x) A0%{£ = y) A(p)) ^ 

Proof. Proof of the first part: 



= X 



/ 0{{£ = y)A 0(j>) 

0^{{£ = x) A 0((£ = y) A 0(j))) 



/O((£ = 2/)AO0) 

0^{{£ = X + y) AO(j)) 



NLA7 



NLA8, NLM, PL. 



Proof of the second part: 



= X 



0{{£ = y) A(f>) \ 

4 ^ 0{{£ = y)A 0<^{{£ = y) A <p)) j 

'0{{£ = y)A(f>) 

^ <f[{£ — x + y)A ^{{£ = y) A (j>)) 



NLA7 



NL7(part 1). 



We now give a proof of the fourth part, leaving the proofs of the third 
and fifth parts to the reader. 

Assume y > x: 
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1. 0"((£ = x)A 0^{{e = y)A 0(j))) 

= x) A 0{{i = y - x) A Ocj))) NL7 (part 1) 

2. = x) A 0{{£ — y — x) A Ocj))) 

0^{£ = x)A 0^0{{£ = y-x)AO(f)) NLM, PL 
0{{£ = y ~ x) A 0(j)) NL5,PL 

3. true => O (£ = x) PL, NLA3 

4. Otrue => O O {£ = x) 3., NLM 

5. 0%£^x) 4.,NL2,MP 

6. 0{{£ = y — x) A 0(f)) 

= x) A 0^0((£ = y — x) A <>(j)) 5., NL5, PL 

0(0 [£ = x) A 0^{{£ = y — x) A O0)) NL5 
=> O O ((^ = x) A 0((£ — y — x) A O0)) NL5 

7. 0"((£ = x) A <f{{£ = y)A 0(/>)) 0{{£ = y-x)AO(t)) L, 2., 6., PL. 

□ 

A deduction theorem can be proved for NL which is similar to the deduc- 
tion theorem for IL given in Chap. 2. The following abbreviation is useful for 
formulating the theorem: 

reads “for all intervals: '0”. 

Theorem 11.3 (Deduction) If a deduction JT, 0 h -0, involves no application 
of the generalization rule G in which the quantified variable is free in (j), then 

r h Da0 'Ip . 

Proof. See [130]. □ 



11.5 Completeness for an Abstract Domain 

So far, real numbers (E) have been used as the time and value domain for IL 
and NL, and we have indicated that each of the proof systems of IL and NL 
considered has to include a first-order theory of real arithmetic for its time 
and value domain. In this section, we discuss the issue of completeness of IL 
and NL with regard to the first-order theory chosen. 

Given a first-order theory of the domain of time and value, denoted by 
a formula is A- valid if it is valid for any time and value domain satisfying 

To show the completeness of IL or NL with respect to A-validity, one must 
show that any valid IL or NL formula is provable in an IL or NL proof 
system in which A is chosen as the first-order theory for its time and value 
domain. 
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This completeness is called completeness for an abstract domain. 

In this section, we assume that A always includes the following axioms. 

D1 Axioms for =: 

1. X = X. 

2. (x = y) => {y = x). 

3. ((ar = y)A{y = z)) => (x = z). 

4. ((xi = yi) A ■ ■ ■ A (xn - yn)) ^ (f"'(xi,...,Xn) = f(yi,...,yn)), 
where is an n-ary function symbol. 

5- ((a;i = 2 /i) A- ••A(x„ =?/„)) ^ (G"(xi, . . . ,x„) 4 ^ G"(yi, . . . ,y„)), 
where is an n-ary relation symbol. 

D2 Axioms for -h: 

1. (a: + 0) = X. 

2 . {x + y) = [y^x). 

3. X + (y + z) = (x -h 2/) + z. 

4. {{x + y) = {x + z)) {y=^z). 

D3 Axioms for >: 

1 . 0 > 0 . 

2. ((:c > 0) A (^ > 0)) (^ + 2/)>0. 

3- {x>y) ^ 3z >0.(x — {y z)). 

4. -^{x >y) {y> x), 

where {y > x) = {{y > x) A ~^{y = x)). 

D4 Axiom for — : 

(x -y) = z X = {y-\- z). 

The above axioms constitute a minimal first-order theory that can guar- 
antee the completeness of IL and NL with respect to ^4- validity. However, 
they are far away from the “best” theory to characterize real numbers. For 
example, a singleton of 0 will satisfy all the above axioms. One may wish to 
introduce multiplication and division^ or to have additional axioms and rules 
that capture more features of real numbers, such as the infinitude and the 
density of the reals, as follows. 

D5 Axioms for infinitude: 

1 . 1 > 0 . 

2. (x + 1) > X. 

D6 Axioms for density: 



(x > y) ^ 3z.{(x > z) A{z > y)) . 
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Given A, a set P is called an ^-set if the function symbols and the relation 
symbols of IL or NL are defined over P and satisfy A. When an ^-set P is 
chosen as a time and value domain of IL or NL, we denote the set of time 
intervals of P by latvo, denote a value assignment from global variables to 
P by Vd, and denote an interpretation with respect to P by Jo: 

• Sntvo = { [6, e] I 5, e G P A b < e }, 

• Vd : GVar ->■ P, 

• JdI^) • Intvp -> P, for V G TVar, and 

• Jd(^) • IntvD — >• {tt,ff}, for X G PLetter. 

An A-model Mb is a pair consisting of an ^-set, i.e. P, and an interpre- 
tation Jb‘ 

The truth value of a formula (j) of IL or NL for the Jl-model Mb^ value 
assignment Vd and interval [6, e] G Intvo is similar to the semantic definitions 
given in Sect. 2.2 for IL and Sect. 11.2 for NL. We write AId, Vd, [b,e] [^d 4> 
to denote that 0 is true for the given ^-model, value assignment and interval. 

Formula 0 is A-valid (written (/>) iff 0 is true for any ^-model Ado, 
value assignment Vd and interval [6, e] G Intvo- 0 is A-satisfiable iff (f) is true 
for some ^-model Ado, value assignment Vd and interval [6, e] G Intvo. 

The proof systems of IL and NL are sound and complete with respect to 
the Jl-models. For both IL and NL, we have: 

Theorem 11.4 (Soundness) If\~4> then [=^ (f). 

Theorem 11.5 (Completeness) If (j) then h (j). 

A proof of the soundness theorem can be given by proving that each 
axiom is sound and that each inference rule preserves soundness in the sense 
that it gives a sound formula when applied to sound formulas. A proof of 
the completeness theorem for IL can be found in [27]. One can first prove the 
completeness of the calculus with respect to a kind of Kripke model, and then 
map the interval models to the Kripke models. Following [27], a completeness 
proof for NL is given in [9]. 

Remark. In [38], there is a similar completeness result for DC for an abstract 
domain. The main ideas are the following: 

1 . The induction rules IRl and IR2 are replaced by an o;-rule to axiomatize 
the finite variability of states. Let us use {5, ->5} as the set of complete 
state expressions to explain the cj-rule. In Sect. 3.3, we introduced the 
abbreviations 

FA\S) = n 

FA^+\S) = FA\S)W{fS}-FA\S))\/il^S}-FA\S)). 

The o;-rule can be formulated as 

If H{FA^{S)), for any i 
then if (true) . 
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2. On the basis of the finite variability of states, we can calculate JS over an 
interval of Intvp (given an A-set D and an interpretation by summing 
the lengths of the subintervals where the value of 5 is the constant 1 under 
Jj],. Therefore, we can avoid the concept of an integral when we define 
the semantics of JS for an abstract domain. □ 



11.6 NL-Based Duration Calculus 

An NL-based duration calculus can be established as an extension of NL in 
the same way as DC was established as an extension of IL in Chap. 3. The 
induction rules of DC must, however, be weakened when the DC is based on 
NL, as it turns out that the original induction rules for DC are not sound 
when the DC is an extension of NL [130]. (A counterexample is given in 
[130].) 

The induction rules for this NL-based DC are restricted to formulas H{X) 
having a specific form. Let X be a propositional letter and 0 be a formula in 
which X does not occur. Let H{X) denote the formula □a(X 0). 

The two induction rules are still the following: 

IRl If R(n) and R(Z)^R(XvVr=i(^^r5il)) 
then iJ(true) 

and 

IR2 If R(n) and R(X) ^ R(X V Vr=i(r‘5il^X)) 
then H{true ) , 

where 5i , 52 , . . . , 5n are state expressions which are complete. 

In the NL-based DC, the deduction theorem and relative-completeness 
result can also be proved [130] in a way similar to the proofs presented in 
Chaps. 3 and 5. Completeness for an abstract domain can also be proved if 
we replace the above IRl and IR2 by the cj-rule. 

As a possible application of the NL-based DC, we introduce below some 
ideas about how to express state transitions, liveness and fairness within this 
logical framework. 



11.6.1 State Transitions, Liveness and Fairness 
State Transitions 

The atomic formulas 5 and given in Chap. 9 can be defined in the 
NL-based DC. The definitions are 



= Oils} 
= 0451 . 
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Equal Distribution 

Suppose two processes are competing for a resource and Si{t) = 1 denotes 
that process i (z = 1, 2) has access to the resource at time t. Assume that Si 
and S 2 are mutually exclusive (i.e. ->(5i A 52 )). 

We can use the following formula to specify an equal distribution of the 
resource in the sense that the two processes should eventually have the same 
access time to the resource: 

V6 > 0. 3T. B^e>T^ |/5i - / 52 I < e) , 

where e and T are regarded as global variables. 



Liveness 

The following formula specifies that the state S occurs infinitely often: 
inf{S) = . 

For example, an oscillator is specified for 5 by 
inf{S) A in/ (-1*5) . 

Strong Fairness 

If 5i denotes a request for a resource and S 2 denotes a response from the 
resource, then strong fairness requires that if requests occur infinitely often 
then responses must occur infinitely often. This can be formulated as 

inf (Si) ^ inf{S 2 ). 



Weak Fairness 

The following formula express the condition that a state S stabilizes to 5 = 1 
after some time: 

stabilize{S) = 

where |[5]|* = [1 V [5] as in Sect. 10.3.3. 

Weak fairness requires that if the requests for a resource stabilize, then 
there will be response from the resource infinitely often: 

stabilize{Si) in/(52) . 
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11.6.2 Example: Delay-Insensitive Circuits 

A delay-insensitive circuit is a circuit which can behave correctly regardless 
of the delays in its components. Its components may have unknown delays, 
which may even vary with time because of, for example, dependences on data 
or temperature. 

In [52], there is a DC specification of a delay-insensitive circuit and a 
proof of its correctness. This specification contains a free (global) variable for 
each component, denoting a changeable delay. The introduction of these free 
variables makes the specification and also its correctness proof rather clumsy. 
However, by applying the NL-based DC, we can model delay-insensitive cir- 
cuits succinctly. 

Let us use an example to explain the main idea. Figure 11.1 shows a delay- 
insensitive oscillator, which has an input P and an output Q and consists of 
a C-gate and an inverter with unknown delays. 




Q 



Fig. 11.1. A delay-insensitive oscillator 



The input P and output Q are modeled by state variables P and Q, i.e. 
P, Q : Time {0, 1} . 

The behavior of the C-gate is: if ->(P Q) then Q will take the value of 
P after a delay, and if P Q then Q will retain its value after a delay. This 
can be specified in the NL-based DC as CG = CG\ A GG 2 A GG^ A CG 4 , 
where 

CGx = 

CG 2 = A Q] =?► OrOrli’-'Ql) 

CG3 = a^ilPAQJ^OrOrm) 

CGi = A -iQ]! OrOrf-iQl) . 
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The behavior of the inverter is: P will take the complementary value of 
Q after a delay. This can be specified as IG = IGi A /G25 where 

IGi = ^ OrOrl-^Pli) 

IG2 = □,(r-Ql 

An oscillator is a circuit whose output cannot be stable: 

OC = inf{Q) A inf{-^Q ) . 

The above circuit is an oscillator no matter what the initial values of P 
and Q are. That is, we can prove 

(CGMC) ^ OC. 
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12.1 Introduction 

This chapter provides a DC-based approach to the analysis of the depend- 
ability of real-time systems. 

For a safe gas burner, a flame detector designed to detect failure of the 
flame of the burner is necessary. However, no flame detector is perfect. That 
is, no flame detector will always be able to detect a flame failure immediately. 
The dependability of a flame detector can be described by a probability func- 
tion that depends on time. Therefore, undesirable behavior of a gas burner 
with an imperfect flame detector may not be avoidable; the dependability of 
the gas burner relies on the dependability of the flame detector. 

In this chapter we shall use a probabilistic automaton to model a fault- 
prone implementation of a system, where transitions are attached to (history- 
independent) probability functions, following an idea presented in [45, 77]. We 
shall also develop a probabilistic extension of DC. Using this extension, called 
probabilistic duration calculus (PDC), we can calculate and reason about the 
system dependability of an imperfect implementation. 

This chapter is based on [86, 87, 89, 90] and concentrates on discrete 
time. Transitions of a (discrete-time) probabilistic automaton can take place 
only at discrete time points. Each transition of a probabilistic automaton 
is labeled with a constant p (0 < p < 1), which is the probability of the 
transition occurring in one time unit. A continuous-time version is presented 
in [22]. 

In Fig. 12.1, a (discrete-time) probabilistic automaton to model an ab- 
stract implementation of the gas burner is shown. 

For the gas burner automaton, we assume that the gas and the ignition 
are turned on at the start, and that the gas remains on throughout the time 
period of interest. The ignition is ideal and instant, so that the flame is 
established whenever ignition is applied. 

However, the flame may disappear at any discrete time point, and cause 
a gas leakage from the burner, i.e. the automaton will transit from NonLeak 
to Leak. Detection of a missing flame may be delayed for any number of 
time units, but when it succeeds, ignition will be applied immediately and 
the gas leakage will be stopped, i.e. the automaton will transit from Leak to 
NonLeak. 
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Pi (= 1) 



P2 (= 0) 




Fig. 12.1. Probabilistic automaton: abstract implementation of a gas burner 



In this gas burner automaton, p\ and p 2 are the probabilities of the gas 
burner starting in NonLeak and Leak, respectively. By assumption, the gas 
burner always starts in NonLeak, and hence pi — 1 and P 2 = 0- Pii is the 
probability that the flame keeps burning for another time unit, i.e. the prob- 
ability for the gas burner to remain in NonLeak for another time unit. The 
probability that the flame fails in one time unit is pi 2 , i.e. the probability for 
the gas burner to transit from NonLeak to Leak in one time unit. Therefore, 

0 < pii < 1, 0 < pi 2 < 1 and pn -hpi 2 = 1, 

since in NonLeak the gas burner can, in one time unit, make either an idle 
transition, thereby staying in the NonLeak state, or make the other possible 
transition to reach Leak. 

Similarly, the probability that a missing flame remains undetected for 
another time unit is P 22 , and the probability that a missing flame is detected 
in one time unit is p 2 i, and we have 

0 < P 22 < 1, 0 < P 21 < 1 and P 21 + P 22 = 1- 

Given this automaton as an implementation of the gas burner, it is in- 
teresting to know the satisfaction probability of this implementation with 
respect to the two design decisions {Des\ A Des 2 ) in a given time period. 
With PDC, we provide axioms and rules to calculate and reason about such 
satisfaction probabilities. 

The continuous-time probabilistic automaton described in [22] preserves 
the Markov property (i.e. the property of history independence), but assigns 
to each transition a probability of choosing this transition and a density 
function to determine the probability that the automaton performs the chosen 
transition in any time period. 

In Sect. 12.2, we shall present a mathematical deflnition of a (discrete- 
time) probabilistic automaton, and introduce the satisfaction probability of 
a DC formula with respect to a given automaton. In Sect. 12.3, a set of 
axioms and rules will be established in order to calculate and reason about 
the satisfaction probabilities of DC formulas. In Sect. 12.4, we shall apply 
these axioms and rules to estimate the probability that the requirements of 
the gas burner (GbReq) will be violated by the automaton shown in Fig. 12.1. 
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12.2 Probabilistic Automata 

A probabilistic automaton is a tuple PA = (F, ro,r), where 

1. y is a finite but nonempty exclusive and complete set of state variables, 

i.e. 



V ^ ^ 1 

pev 

and 



P ^ , 

for any P^Q eV and P ^ Q. 

2. To : F — [0, 1] is called the initial probability mass function and must 
satisfy the condition 

P^Pev'^o(P) = 1 • 

Note that to(P) is the probability that the automaton starts in state P. 

3. r : F X F -> [0, 1] is called the single-step probability transition function 
and must satisfy the condition 

^Qevr{P,Q) = 1 , 

for every F G F. 

The gas burner automaton of Fig. 12.1 is a tuple PA = (F, ro,r), where 
F, To and r are defined as follows: 

1. The set F is given by 

V = {NonLeak, Leak} and NonLeak ^ -iLeak . 

2. The initial probability mass function is given by 

To (NonLeak) = = 1 and To (Leak) = p 2 = 0 . 

3. The single-step probability transition function is given by 

T(NonLeak, NonLeak) = pn , 

T (NonLeak, Leak) = pi 2 , 

T(Leak, Leak) = p 22 , 

T(Leak, NonLeak) = p 2 i • 
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12.2.1 State Sequence 

The behavior of a probabilistic automaton PA can be defined by its state 
sequences. Given a positive integer t, a sequence of states in V 

a = Pi P 2 - ‘ Pt 

defines a possible behavior of PA for the first t time units. The automaton 
starts in Pi and remains there for one time unit. Then it makes a transition 
from Pi to P 2 and remains in P 2 for another one time unit, and so on. It 
completes ^ — 1 transitions and stays in Pt for one time unit. 

For state sequences such as <j, we also use the notation 

{PuP2,...,Pt). 

When t = 0, the state sequence is empty (written ( )). 

The probability that PA starts in Pi is defined by the mass function as 
To (Pi), and the probability that PA makes a transition from Pi to P^+i is 
defined by the transition function as r(Pi,Pj+i). Therefore, the probability 
Ijl{(j) that PA follows the behavior a is 

= To(Pl) • t{Pi,P 2) T{Pt-l,Pt) . 



For example, for the gas burner automaton shown in Fig. 12.1, we can 
calculate 



/i((NonLeak)) = pi = 1 
//((Leak)) = p 2 = 0 



I state sequences of length 1 



//((NonLeak, NonLeak)) = pi ■ pu = pn " 
//((NonLeak, Leak}) = pi • pi2 = P12 
//((Leak, NonLeak)) = p2 • P21 = 0 
//((Leak, Leak)) = p 2 • P 22 = 0 



state sequences of length 2. 



Note that the sum of the probabilities of all state sequences of length 1 
is 1 and that the sum of the probabilities of all state sequences of length 2 
is 1. In fact, given any length ^ > 0, the sum of the probabilities of all state 
sequences of length Hs 1, as we shall prove below. 

Given an arbitrary probabilistic automaton PA = (V, ro,r), the probabil- 
ity function 



//: y*^[0,l] 

is defined as follows: 

/ \ 1 if ^ ) 

- lro(Pi)-r(Pi,P2) r{Pt-uPt) if a = (Pj, P 2 , . . . , P*). 
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Furthermore, let be the set of all state sequences of V with length t, 
for t > 0. Thus is the set containing only the empty state sequence. 

We can prove the following theorem expressing the fact that con- 

stitutes a probabilistic space^ for every nonnegative integer t. 

Theorem 12.1 For any PA = (F, ro,r) and nonnegative integer t, 

• 0 < < 1, for any a eV^, and 

• = 1 . 

Proof. The first part is obvious from the definitions of /i, tq and r. The second 
part can be proved by induction on t using the following facts: 

yW ^ yty ^ {ar^2 I G A(J2 G F} 



and 






□ 



12.2.2 Satisfaction Probability 

For a given probabilistic automaton PA = (F, ro,r) and DC formula 0, we 
shall define the following concepts in this section: 

• The statement that the formula <p holds for a given state sequence a G F*. 

• The probability that 0 holds for all state sequences in F^, where t is a 
nonnegative integer. 

To this end, we assume that PA starts at time 0 and we consider discrete 
interpretations over the state variables in F over discrete time intervals [0, t] 
for the first t time units. 

A state sequence cr G F^ of PA determines the presence and absence of 
the state variables in F in the first t time units, and thus defines a discrete 
interpretation (see Chap. 6) of the state variables in F in the interval [0,^]. 
For example, the state sequence 



(NonLeak, Leak) 



defines a discrete interpretation X for Leak (and thus for NonLeak) in the 
interval [0,2], for which 



Leakx{t) = 



0 for 0 < t < 1 

1 for 1 < t < 2, 



where the value of Leakj at the end point of [0, 2] is irrelevant and will not 
affect the truth of a DC formula over the interval [0,2], provided that Leak 
and NonLeak are the only state variables which occur in the formula. 
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We say that X is consistent with the above state sequence in the interval 
[0,2]. This generalizes easily to arbitrary state sequences. 

A DC formula (j) is called a V- formula if (j) contains only state variables 
in V, and does not contain temporal propositional letters. The truth of (j) is 
therefore independent of the interpretation of temporal propositional letters 
and of state variables outside V. 

For any F-formula 0, value assignment V and state sequence cr G we 
say that (j) holds for a given V, written a,V \= (/>, if 

I,v,[0,t] 1 = 4>, 

where X is any discrete interpretation consistent with a for the state variables 
in V in the interval [0,^]. 

In the following text we shall always refer to an arbitrarily given value 
assignment, but, for simplicity, we shall not mention it explicitly. 

The probability that PA satisfies a V -formula (f> over the interval [0,^], 
denoted by fi{(j))[t], can be defined as the sum of the probabilities of state 
sequences which are of length t and satisfy (j). 

Let be the set of state sequences in which satisfy 0; then 

fi{(f>)[t] = ■ 

Consider the probabilistic automaton PA defined in Fig. 12.1. The first 
design decision (Desi) for the gas burner, 

□ ([Leak] i<l) 

is a F-formula, where 

V = {NonLeak, Leak} and NonLeak -iLeak . 

The set of state sequences of length 2 satisfying this formula is 

V‘^{Desi) = {(NonLeak, NonLeak), (NonLeak, Leak), (Leak, NonLeak)} , 

and we have the result that the satisfaction probability over the interval [0, 2] 
is 



fi{Desi)[2] = Pi • pii + Pi • pi 2 -f P 2 • P 21 = 1 • 

So the gas burner automaton shown in Fig. 12.1 represents a fully de- 
pendable implementation of the gas burner in the first two time units as far 
as the first design decision is concerned. 

Since (F^/x) is a probabilistic space (Theorem 12.1), the following theo- 
rem follows from the definition of the satisfaction probability. 

Theorem 12.2 For any PA and t >0, 

• 0 < p{(f>)[t] < I, for any V -formula (j) 

• /x(true)[^] = 1. 
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12.3 Probabilistic Duration Calculus: Axioms and Rules 

In accordance with the definition of the satisfaction probability given in 
Sect. 12.2, this section proposes a set of axioms and rules to calculate and rea- 
son about with respect to an arbitrarily given probabilistic automaton 

PA and F-formula 0. 

Since /i(0)[t] is a real number and ^ is a nonnegative integer, PDC is an 
extension of real arithmetic and integer arithmetic. PDC is also an extension 
of discrete-time DC which can derive properties of F-formulas. 

The proof system for PDC presented here is not complete, but [40] pro- 
vides a complete calculus for a probabilistic neighborhood logic. 

12.3.1 Syntax 

Syntactically, PDC extends real and integer arithmetic with /i(0)[t] as the 
additional terms, where (j) ranges over the ^-formulas of a given PA. 

For example, the following formulas are well-formed formulas of PDC with 
respect to the gas burner automaton: 

1. fi{GbReq)[t] = p, which expresses the condition that p is the probability 
that the gas burner automaton satisfies the requirement in the first t time 
units. 

2. yt.{p.{^GbReq)[t] < p{-^Desi)[t]+ fi{-^Des 2 )[t]), which expresses the con- 
dition that the probability of violation of the requirement of the gas 
burner automaton is not greater than the sum of the probabilities of 
violation of the two design decisions. 

3. \/t.{p.{GbReq)[t] = 1 — fi{-^GbReq)[t]), which expresses how to calculate 
the satisfaction probability of the requirement from its violation proba- 
bility. 

In these examples, t is regarded as a global variable ranging over nonnegative 
integers. 

By proving the truth of the last two formulas (2 and 3) above, one can 
estimate the dependability of the gas burner automaton through the calcu- 
lation of violation probabilities of the design decisions. 

In the following, we shall use 

as an abbreviation of 

where i? is a relation of arithmetic. 

For example, the formulas 2 and 3 above can be abbreviated as follows: 

fi{->GbReq) < p{~^Desi) + fi{-^Des 2 ) 
pi{GbReq) = 1 — fi{->GbReq ) . 
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The axioms and rules of real arithmetic, integer arithmetic and DC are 
taken as axioms and rules of PDC, as PDC extends these logics. In the 
following sections we list the additional axioms and rules for //, and assume 
that all formulas appearing in the scope of fi are F-formulas. 

The proof system is presented in two parts, where the axioms and rules 
in the first part are generic, and can be applied to any probabilistic automa- 
ton, while the axioms and rules in the second part are specific to a given 
automaton. 



12.3.2 Proof System: Part I 

The DC formula “true” holds for state sequences of any probabilistic automa- 
ton in any interval. 

PAl /i(true) = 1 . 

For any interval, (j) and -u/) form an exclusive partition of all state sequences 
of any probabilistic automaton. 

PA2 /i((/>) -h — 1 . 

From PA2, we can straightforwardly derive 

fi{GbReq) — 1 - fi{-^GhReq) . 

The additivity axiom of probability theory holds for PDC. 

PAS /x(0) -h /i(i/^) = /x(0 V i/j) -h A '0) . 

The satisfaction probability is monotone. 

PA4 If 0 => 0, then /x(0) < //(0) . 

The following theorem can be easily derived from the above axioms and 
rules. 

1. /i (false) = 0. 

2. 0 < /i(0) < 1 . 

3. n{(i> V V’) < ^J■{(t>) + • 

4. If -i(0 A 0), then /i(0 V 0) = /x(0) -h /i(0) . 

5. If 0 0, then /x(0) = /i(0) . 

6. /i(^) = 1 /^(</» A V’) = • 



PDCl 
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Proof. The proofs of the first five cases are trivial. The last case can be proved 
as follows: 

1. /j.{(f) Alp) < ii{ip) PA4 

2. /x(0) + !i{ip) = V '0) + A ip) PA3 

3. ii{(j)) = 1 fi{(p V '0) < fi{4>) PAl, PA4 

4. /i(0) = 1 > fJ'W 2., 3. 

= l ^ ii{(f> A Ip) = l.,4. 



□ 



If we consider state sequences of length t, the formulas (p and Ai = t) 
hold for the same sequences. 

PA5 l^{(p)[i\ = fi{(p A £ = t)[t] . 

Using this axiom, the following theorem can be proved. 

Proof. From PA5, PAl and PDCl, we have 

/x(true)[f] = //(true Al = t)[t] = //(^ = /)[/] = !. 

Furthermore, using PA 2, we have 
fi{i / t)[t] = 1 — fi{£ = t)[t] = 0 . 



□ 

A formula (p holds for a state sequence of length t if and only if the formula 
[(p^i = S) holds for any extension of the sequence to a length {t -\- 5), where 
(5 is a nonnegative integer. 

PA6 fi{(p'^i = S)[t S] = 

Using this axiom, the following theorem can be proved. 

PDC3 fx{{(PAi = t)-ip)[t + S] < fi{(p)[t]. 

Proof. 



n{{4>Ai 


= t)- 


+ 5] 






= 


= t)- 


"ip A £ — 


: t + 5) [t + (5] 


PAS 


= fJ.{{(f)A£ 


= t)" 


^{ip A£ — 


S))[t + S\ 


PDCl 


< jj,{{(p A £ 


= t)- 


'f = ^)[t+(5] 


PA4 


= fi{(p A£ - 








PA6 


= K4>)[t] 








PAS. 



□ 
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12.3.3 Proof System: Part II 

The axioms and rules in this section refer to an arbitrarily given probabilistic 
automaton PA. We shall use the abbreviation 



ipv = rpiA^=i. 

We refer to Sect. 7.2 for the definition of 

For the initial probability mass function of P4, we have 

PA7 KlPVm = roiP). 

For the transition probability function r of we have 

PAS If ?!> => (true'^fPl) 

then )«((/> + 1] = t{P,Q) -fJ.i4>)[t]. 

Using these two axioms, we can prove the following theorem. 

PDC4 ^ ^ ^<^) = 0. 

2. t{P,Q)=0 //(?!) = 0. 

Proof. The first part can be proved as follows. Let us assume tq{P) = 0 and 
^ > 1. From PAT, we can derive 

MrPDW = 0; 



then 

Mrpi^<^)W 

= Mm'^(rivrpi)^0)[t] pdci 
<Mrpr)[i] PDC3 

= 0 PA7. 

When t = 0, we have 

Mrpi^</>)[o] 

= /x((rPl^^)A(£ = 0))[0] PA5 
= M(false)[0] PDCI 

= 0 PDCI. 



For the second part, let us assume r(P, Q) = 0. When t > 1, using PAS we 
can derive 

= 0- 

When t = 0, we can follow the same reasoning as for the first part to prove 

M<A^rpi^rQD[o] = 0. 



□ 
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In [90], PDC is extended with classical probability matrices, and the sat- 
isfaction probabilities of many useful DC formulas, such as 

/x(true^[PV), 

A (true [PI fQl ) , 

H{{4> A (true [PI )) [Q] ) , 



can be computed using matrix scalar products. 



12.4 Example: Gas Burner 

In this section, we use PDC to give an estimate of the violation probability 
of GbReq with respect to the probabilistic automaton shown in Fig. 12.1. In 
obtaining this estimate, we assume that the time unit is one second, and we 
often reason informally in order to focus on the main ideas. 

Since 

{Desi A Des 2 ) ^ GbReq , 
we have 

GbReq => {—tDesi V —>Des 2 ) • 

Then, using PA4 and PDCl, we obtain 

li{—^GbReq) < jji{-^Desi V ~^Des 2 ) < //(-iDesi) -h /j,{—iDes 2 ) • 

Therefore, the sum of the violation probabilities of the two design decisions 
is an upper bound on the violation probability of the requirement. 

In the next two subsections, we use the proof system of PDC to derive 
recursive functions for the computation of the violation probabilities of the 
design decisions, i.e. we give programs (in terms of recursive functions) for 
computing fi{-~>Desi)[t] and fjL{-^Des 2 )[t] and prove the correctness of the 
programs. 

Hence, using these programs, we can estimate the violation probability of 
the requirements as fi{-^GbReq)[t] < fi{-^Desi)[t] -h jji{-->Des 2 )[t]. 

The design decisions are formulated in Sect. 3.2 for the continuous-time 
domain as follows: 



Desi = □([Leak'l ^ < 1) 

Des 2 = □(([Leakl ^[-iLeak] ""[Leak]) ^ > 30) . 
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However, for the discrete-time domain, the second design decision, i.e. that 
the distance between two leaks is not less than 30 seconds, must be refor- 
mulated by taking into account the fact that each leak lasts for at least one 
second: 

□ (( [Leak] "" [-iLeak] ^ [Leak] ) £> 32) . 

12.4.1 Calculation of /x(-iX>e5i) 

Here we establish a recursive function to calculate fi{->Desi)[t]. 

In order to calculate fi{-^Desi)[t], we shall need an auxiliary function. Let 

fi(t) = fj.{-<Desi)[t] 



and 



gi{t) = /i(£>esi ^|f-iLeakl^)[f] 

We show below that fi can be defined recursively by the program: 

/i(0) =0 

/i(i) =0 

A (2) =0 

fi(t + l) = fi{t)+pi 2 -P 22 -giit - 1), for t > 2, 
and that the auxiliary function can be defined recursively by the program: 

51 (0) =0 

51 ( 1 ) = 1 

5i(2) =Pii 

gi{t+ 1) =pn -giit) +Pi 2 -P 2 i -gi{t - 1), for t > 2. 

It is easy to see that /i and g\ terminate for any natural number f > 0. 
We now use PDC to prove that they compute the correct functions. 

We shall exploit the fact that 

^Desi ^ 0([Leak] A £>l). 

The formula Des\ is violated in the interval comprising the first t + 1 time 
units if and only if Desi is violated in the first t time units or Desi holds for 
the first t time units but is violated in the full interval comprising the t 1 
time units: 



iDesi A£ -= t -\- 1 ^ 



{{^Desi-£ = l)M = t + l) 

V ((Llesi = 1) A -^Desi Ai = t 1) 
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The two formulas on the right-hand side above are mutually exclusive. 
From PD Cl and PA5, we have 

fi{-^Desi)[t -f 1] 

= ij,{->Desi = l)[t -h 1] + /ji{{Desi = 1) A ^Desi)[t -j- 1] , 
and from PAG we have 



n{-^Desi = 1)[^ -1- 1] = /j,{-iDesi)[t] . 



In the rest of this subsection and in the next subsection, we shall often 
apply the following expansion of Dcj): 



□0 ^ 



([1 A(/>) 

V (((n(/>^[-.Leakli) V (□(/)'^ [Leak]!)) A □(/>) 



To calculate fi{{Desi — 1) A-iDe5i)[t-l-l], we expand Des\ and exploit 
the fact that 

{Desi = 1) A -^Desi 

^ (IfLeakl^ V (Desi |'-'Leak'||^ [Leak"|^)) . 



From PDCl, we obtain 



fi{{Desi = 1) A -^Desi)[t -h 1] 

= /i([Leak1^)[f -f 1] + /j,{Desi ^[-iLeakl^ "" [Leak]]^)[t -f 1] , 

and from PDC4 and PAS we obtain 

/x((De5i = 1) A ■~^Desi)[t -h 1] 

= Pu -P22 ■ p{Desi'^l~^LeakY)[t - 1] , 



where t >2. 

In order to calculate /i{Desi |f-iLeak]| ^ ) , we establish the expansion 



{Desi "" [-iLeakl^) 



/ I’-iLeak]^ 

V (De5i^[-.Leakl2) 

V (|’Leak]|^""f-'Leak1^) 

I’-'Leakl^ ""|[Leak]|^ 



\ 

[-.LeakV); 



Using PDCl, we obtain 

fi{Desi [-iLeak1^)[t -h 1] 

/ /i([-.Leak]i)[t + 1] \ 

_ -h iJ,{Desi ^ [-iLeak]|^)[t -h 1] 

~ -f //( [Leak]] ^ [->Leak]| ^ ) [t -h 1] 

^-h idlUesi ^ [-•Leak'l^ ^ [Leak'll ^||’-iLeak]]^)[t + 1] y 
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Furthermore, from PDC2, PAS and PDC4, we have the result that 
fi{Desi ^ |"-'Leak]|^)[^ + 1] 

_ ( Pii- ^l{Desl'^l-^'Leak'\^)[t] \ 

V + Pi2 • P21 • p{Desi ^ f-.Leak]]^)[t - 1] J ’ 



when t >2. 

We can now establish the recursive cases for /i and gi, since when t >2, 
we have the result that 

/jL{—'Desi)[t + 1 ] 

_ / fj.{->Desi)[t] \ 

v + Pi 2 -P 22 ■ '"f-.Leakr)[i - 1] / ’ 

which establishes the recursive case for /i , and 

jjL{Desi ^ [[-'Leak1^)[^ + 1] 

_ / pii •yLt(£>e5i '^f-'Leak]|^)[i] \ 

\ + Pi2-P2i •^(£>esi'^[-.Leakr)[t-l]y ’ 

which establishes the recursive case for gi . 

In order to establish the base cases for fi and gi , we observe first that 

1. A{i = 2)) ^ [Leakl^ 

2. {-iDesi A (^ < 1)) ^ false 

/ {{Desi ^ [-.Leak]] 1) A (^ = 2)) \ 

V ^ ( [Leak] ^ ^ [ -Leak] ^ V [-Leak] ^ ) J 

4. {{Desi ^[-.Leakr) A{£ = 1)) [-.Leak]]^ 

5. ((I>esi ^ [-.Leak’ll^) A (V = 0)) false. 

We can derive the following using PA5: 

1. fi{^Desi)[2] = 0 PDC4 

2. fi{^Desi)[l] = fi{^Desi)[0] = 0 PDCl 

3. /i(De5i ^[-Leak]i)[2] PDCl, PDC4, PAS, PA7 

4. /ji{Desi ^ |[-'Leak]|^)[l] = 1 PA7 

5. /i(Dc5i '^|[-LeakV)[0] = 0 PDCl. 



These account for all the base cases of /i and gi, and we have now shown 
how to calculate the violation probability of Desi with respect to the imple- 
mentation shown in Fig. 12.1. 
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12.4.2 Calculation of fi{-^Des 2 ) 

The calculation of fi{^Des 2 ) can also be done recursively. 

To establish this, we show that the functions 

f2{t) = ni-‘Des2)[t] 

92{t) = fJ.{Des2)[t] 

h2{t) = n{Des2 A (£)es2 '~'[“'Leak'|^))[f] 
k2{t) = fi{Des2 A {Des2 |[Leakp))[f] 

can be defined by mutual recursion as follows: 

1 

r 1 if i = 0 

\ h 2 {t) + k 2 {t) otherwise 

{ 0 if ^ = 0 

1 if ^ = 1 

Pii • h 2 {t - 1) +P 21 • k 2 {t - 1) otherwise 

{ 0 if t = 0 or t = 1 

P22 ■k2{t-l)+ -P12 if 2 < f < 32 

P22 ■ k2{t -1) + Pii ■ Pi2 ■ h2(t - 30) if 32 < t. 

In this case also, it is not difficult to see that these programs all terminate 
for any natural number t > 0. We shall now prove that they compute the 
correct functions. 

The recursion formula for /2 is easy to justify, since from PA2 we have 



f 2 {t) = 

92{t) = 
h2{t) = 

k2(t) = 



p.(->Des2) = 1 - p{Des2) ■ 

In order to justify the recursion formula for ^2, we expand Des2'> 



By using PDCl, we obtain 



fi{Des 2 A £ > 0 ) 



li{Des2 A {Des2 ^ |[-'Leak'||^)) \ 

+ li{Des2 A {Des2 "" I’Leak]^)) ) ’ 



which establishes the recursive case for Q2 . 

For the base case for ^2, we must show that ^{Des2)\^\ = 1 . 
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Since 

Kt = o)[o] = 1 

by PDC2, and 
£ = 0 => Des2 

holds in DC, the base case can be established by using PA4 and PDCl, as 
we have 

= 0)[0] < /x(Dc52)[0] < 1 . 

To establish the recursive case for /i 2 , we assume that the length of the 
interval concerned is not less than 2, i.e. ^ > 2, and expand Des 2 as follows: 

Des 2 A {Des 2 ^ |’-’Leak]| ^ ) 

( (Des2 A (Des2'~'[-'Leak]|2)) \ 

yv {Des 2 A (£>652 ITLeakl ^ ^ |[-iLeak]]^)) J 

Hence, by PDCl, 

fi{Des2 A (De52 "^[-'Leak'll ^)) 

_ / /ji{Des2 A (Dc 52 '^[-'Leak'll^)) \ 

~ /x(De52 A (Dc 52 ""irLeak]^ '^|’-'Leak]|^))y 

However, in DC we have the result that 

{Des2 ^ IT -iLeakf ^ Des2 , 

since Des 2 is a constraint about the distance between two leaks, and the last 
occurrence of f-iLeak]|^ is irrelevant to this constraint. Thus, we have 

Des 2 A {Des 2 ^ |’-'Leak]|^) 

4^ {Des2 A {Des2 ^f->Leak1^)) ^f-iLeak]|^ 



and 



Des 2 A {Des 2 fLeak]| ^ f-iLeakf 

44^ {Des 2 A {Des 2 [Leak'll ^)) [-iLeak] ^ . 

So, by use of PDCl and PAS, when ^ > 2, we can derive 

fi{Des 2 A {Des 2 ^ [-•Leak]|^))[t] 

_ f fi{(Des 2 A {Des 2 "" [“•Leak]^)) ^ [-iLeak'|^)[t] \ 
/i((De52 A (De52^[Leak]|^))'^[-iLeak]^)[^] J 

_ ( Pii’ p{Des2 A (Dc 52 ^[-’Leak]l^))[f 
~ P21 ' P'{Des2 A {Des2^lLeakY))[t - 1] J ’ 
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which establishes the recursive case for h 2 . We leave the base cases for the 
reader. 

To establish the two recursive cases for k 2 , we assume that £> 2 and 
expand Des 2 as follows: 

Des2 A (Des2 ^[[Leak]|^) 

/ (Des 2 A {Des 2 ^ [Leak]^)) 
y V {Des 2 A {Des 2 i-iLeak]]^ ^ [Leak]]^)) 

We consider the two cases in the above disjunction: 

1. If Des 2 ends with [Leakf^, then we can prove in DC that 

Dc 52 A (De52 ^[[Leak]|^) (Dc52 A (De52 "" [Leak]^)) [Leak]^ , 

since both fLeak]]^ and ([Leakl^ are regarded as a single gas leakage and 
have the same effect on the truth of Des 2 ‘ Hence, by PDCl and PAS, we 
have, when t >2, the result that 

/jL{Des2 A {Des2 ^ [Leak1^))[^] 

= P22 • li{Des2 A {Des2^lLeakJ^))[t - 1] . 

2. If Des 2 ends with ( |[ -iLeak]| ^ ^ |[Leak]| ^), then in order to keep Des 2 (i.e. 
□ (([[Leakl ^ f-iLeak]| ^ [Leak]]) ^ £> 32)) true, we must consider two 
cases: 

Case: 2 < £ < 32. In this case we have 

{Des 2 A {Des 2 ^ f “•Leak] ^ ^ |’Leak’| ^ )) ^ ( [ --Leak] ^ |fLeak1 ^ ) . 

Hence, by PA5, PDCl, PAT and PAS, we have, when 2 < t < 32, the 
result that 

n{Des2 A (Des2 ^f-'Leak]^ ^|[LeakV))[t] = pi ■ pi2 




and 

fi{Des 2 A (Des 2 ^ |[Leak]|^))[^] 

= P 22 ■ p(Des 2 A (I>es 2 ^[Leak])^))[i - 1] +p{'[^ -pi 2 , 

as Pi = 1 . This establishes the first recursive case for . 

Case: £>32. In this case we have 

Des 2 A (Dc 52 f-iLeak]]^ "" [Leakl ^) 

{{Des 2 A (Dc 52 '"'[-'Leak] ^)) ^[-•Leak]|^^ [Leak] ^) 

and, therefore, also 

/j,{Des 2 A {Des 2 "^[-^Leak]^ ^ [Leak]^))[^] 

= Pii ’Pi 2 • p{Des 2 A (Dc 52 '"'[-’Leak]^))[t - 30] 
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and 



/ji{Des 2 A {Des 2 ^ |’Leak]|^))[t] 

_ ( P 22 A (Z)es2 '^[Leak]|i))[< - 1] \ 

V+ Pii 'Pi2 • fJ-(Des 2 A {Des 2 |[-'Leak1^))[i — 30] y ’ 

which establishes the second recursive case for k 2 - 
We leave the base cases for k 2 for the reader. 

In [90], the recursions required to calculate /j,{-^Desi) and fji{-^Des 2 ) were 
derived in a more direct way by using probability matrices and the satis- 
faction probabilities of a set of useful DC formulas. The dependability of a 
communication protocol over an unreliable medium [45] was also calculated 
in [90]. 
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Abbreviations 



A0-A2: axioms of IL, 27 
Autol(a) - Auto3(b): specification of an 
automaton for the gas burner, 161 

COR: Corollary, 183 
CSP: communicating sequential 
processes, 9 

D1-D6: axioms for abstract domain, 
202 

DC: duration calculus, 14, 41 
DCAl -DCA6: axioms of DC, 45 
Desi: design decision 1 (gas burner), 
11, 60 

Des 2 '- design decision 2 (gas burner), 
12, 60 

dLinei'. deadline of pi, 69 
DNF{S): disjunctive normal form for 
5, 102 

E: axiom of IL, 27 

FA^{S): finite alternation, 46 

G: generalization, inference rule of IL, 
27 

GbReq: requirement (gas burner), 10, 

60 

H(p : IL encoding of DC axioms for 0, 91 

IC: set of valid IL formulas, 89 
XCdc‘ DC instances of J£, 89 
IL: interval logic, 23 
IRl, IR2: induction rules of DC, 45 

LI - L3: axioms of IL, 27 
LDI: linear duration invariant, 133 
LF: linear function (in LDI), 133 
LM: Lemma, 65 

M: monotonicity, inference rule of IL, 
27 



MP: modus ponens, inference rule of 
IL, 27 

Nl, N2: axioms of state transition 
calculus, 157 

N: necessity, inference rule of IL, 27 
next{X,S): the formula 
XV(X-[S1) v(x-r-5l), 

49 

NL: neighborhood logic, 191 
NLAl - NLA8: axioms of neighborhood 
logic, 195 

NLM, NLN, MP, G: inference rules of 
NL, 196 

PA1-PA8: axioms of PDC, 216 
PDC: probabilistic duration calculus, 
209 

PLC: programmable logic controller, 19 
ProCoS: provable correct systems 
(ESPRIT BRA 3104, 7071), 14 
PrR: periodic request, 71 

Ql, Q2: axioms of IL, 28 

R: axiom of IL, 27 

RAISE: rigorous approach to industrial 
software engineering, 19 
RDC: restricted duration calculus, 99 
RDCi{r), RDC 2 , RDCs- subsets of 
DC formulas. 111 

Req: requirement of every process on 
every prefix interval, 73 
reqf. requirement of pi on an interval, 
73 

Req-: requirement of pi on all prefix 
intervals, 73 
Run^: Pi is running, 68 

Sch: scheduler specification, 76 




240 Abbreviations 



SDC1-SDC7: axioms for super dense 
state transitions, 171 
ShP: shared processor, 68 
SIL: signed interval logic, 17 
Spec', assumptions in Liu and Layland’s 
theorem, 78 

STl - ST4: axioms of state transition 
calculus, 154 

Stdj: Pi has a standing request, 68 



TLA: temporal logic of actions, 9 
TM: Theorem, 137 

Urg^j : Pi is more urgent than pj , 68 
Urgent: urgency of processes, 74 

(j)h: IL encoding of 0, 91 
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[_]ter, 1-1: program semantics, 180 
f]: point interval, 44 
[51: 5 holds throughout nonpoint 
interval, 44 

ISY- S holds for interval of length 
r > 0, 115 

S holds for interval of length x, 
123 

[x]: the smallest integer greater than 
or equal to x, 71 

[x\: the largest integer not exceeding 
j:, 71 

□ : for all subintervals, 24 
Dpi for all prefix intervals, 39 
O: for some subinterval, 24 
Op', for some prefix interval, 39 
Oi'. for some left neighborhood, 191 
Of: for some left neighborhood of the 
end point, 192 

Or', for some right neighborhood, 191 
Of : for some right neighborhood of the 
start point, 192 

•: super dense chop modality, 169 
chop, 24 

concatenation of sequences, 133, 176 
I L: contraction closure of L, 106 
45 , t *^5 -bS, T5: transition formulas, 150 
\S, /^S: transition formulas, 
148 

JS: state duration, 41 
(): empty sequence, 176 
=LDi'- equivalence with respect to a 
linear duration invariant, 135 
[= 0 is valid, 26 

h 0: 0 is provable, 29, 46 

A: real-time automaton, 132 

C, T, D: modalities, 190 

n-axy function symbols, 23 



f^: meaning of n-ary function symbol, 
~ 25 

FSymb: set of global function symbols, 
23 

G^: n-ary relation symbol, 23 

G^: meaning of n-ary relation symbol, 

25 

GVar: set of global variables, 23 

X: interpretation (duration calculus), 

42 

Z, V, [b, e] 1= (p: semantics of formula, 43 
X[0]: semantics of formula, 43 
Intv: set of all intervals, 25 

J: interpretation (interval logic), 25 
J, V, [b, e] (j)'. semantics of a formula, 

26 

v7[0]: semantics of a formula, 26 
Jl6}: semantics of a term, 25 
Ji: induced interpretation, 43 

La: regular language of A, 132 

i: interval length, 23, 25 

low: lower-bound timing constraint, 

132 

M: two-counter machine, 114 

N: set of natural numbers, 61 

R, . . .: state variables, 41 
V: parallel process, 175 
PA: probabilistic automaton, 210 
PLetter: set of temporal propositional 
letters, 23 

R: real numbers, 24 
RSymb: set of global relation symbols, 
23 

S: state expression, 41 
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5x: meaning of state expression, 42 
S: sequential process, 175 
Seq: untimed sequence of transitions, 
132 

SVar: set of state variables, 41 

T: set of transitions, 132 
Time: time domain, 4, 42 
Trace: set of traces, 176 
TSeq: timed sequence of transitions, 
132 

TVar: set of temporal variables, 23 

up: upper-bound timing constraint, 132 

V: exclusive and complete set of state 
variables, 211 

V^: set of all state sequences of length 
t, 213 

V: value assignment, 25 
v^v\ . . temporal variables, 23 
Val: set of all value assignments, 25 
vj: meaning of temporal variable, 25 

Xj: meaning of temporal propositional 
letter, 25 



X, y, . . temporal propositional letters, 
23 

x^y^z,. . (global) variables, 23 



r \- (f): deduction of (f) from T, 29, 46 
e: empty sequence, 132 
6: term, 23 

/i(0)[f]: satisfaction probability of 0 at 
time t, 214 

/ji(cr): probability of cr, 212 
p — (Pi^Pj): transition of real-time 
automaton, 132 
^ : pre-state of transition, 132 
: post-state of transition, 132 
a: computation of two-counter machine, 
113 

a: state sequence of probabilistic 
automaton, 212 

r: single-step probability transition 
function, 211 

To: initial probability mass, 211 
. . .: formulas, 23 
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abstract domain, 20, 203 

- semantics of durations, 203 
adequacy of neighborhood modalities, 

193 

assumption-commitment logic, 20 
automaton, 9, 20, 101, 146, 160 

- continuous time probabilistic, 210 

- hybrid, 20, 144, 190 

- phase, 105 

- probabilistic, 16, 209-211 

- programmable logic controller (PLC), 
19 

- real-time, 21, 125, 131 

- timed, 7, 20, 131, 144 
axioms 

- duration calculus, 45 

- interval logic, 27 

- neighborhood logic, 195 

- probabilistic duration calculus, 210, 
216, 218 

- state transition calculus, 153, 157 

- superdense state transitions, 171 

basic conjunct, 102 
Boolean state, see state 
bounded liveness, 187 
bounded termination, 185 

calculus 

- duration, see duration calculus, 40 

- probabilistic duration, 215 

- state transition, 147, 153, 157, 170 

- superdense state transition, 170, 173 
channel, 175 

channel variables, 176 
chop, see modality, chop 
chop free, 28, 34 
combine law, 167 

communicating sequential processes, 9, 
19 

complete collection of state expressions, 
45 



completeness for abstract domain, 20 

- duration calculus, 20, 97, 204 

- interval logic, 20, 34, 203 

- neighborhood logic, 20, 201, 203 
complexity, 109 
concatenation, 176 

- of languages, 103 

congruent equivalence (of regular 
languages), 135 
consistent state, see state 
constraint diagram, 19 
continuity, 180 
continuous time, 3, 100 
contraction closure, see language 
contraction-closed language, see 
language 

counter machine, 113 
CSP, see communicating sequential 
processes 

DC, see duration calculus 
deadline, 69 

deadline- driven scheduler, 1, 4, 6, 67 
decidability (of duration calculus), 99, 
109 

- continuous time, 106 

- discrete time, 102, 106 
decision procedure, 20 
deduction 

- duration calculus, 46, 48, 90 

- interval logic, 28, 90 

- neighborhood logic, 196 
deduction theorem, 48 

- duration calculus, 204 

- interval logic, 31 

- neighborhood logic, 201 

- neighborhood-logic-based DC, 204 
delay 

- inertial, 153 

- transmission, 153 
delay-insensitive circuits, 206 
6-function, 15, 145 
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density, 202 
density function, 210 
dependability, 16, 209, 226 
discrete time, 3, 100 
duration, 5ee state 
duration calculus, 3, 14, 40 

- applications, 18 

- based on neighborhood logic, 204 

- discrete time, 99 

- higher-order, 18, 20 

- implementables, 20 

- probabilistic, 22, 209 

- RDCi{r), 111 

- RDC 2 , 111 

- RDCs, 111 

- restricted (RDC), 99, 111 

- tools, 20 

embedded system, 5ee hybrid system 
equivalence of DC formulas, 46 
Esterel, 19, 167 
event, 4, 14, 145 

expansion-closed language, see language 
explicit clock temporal logic, see 
temporal logic 
expressiveness 

- of chop-based interval logic, 189 

- of discrete RDC, 101 

fairness, 12, 13, 204 

- strong, 205 

- weak, 205 
fault tree, 19 

finite alternation, 46 
finite divergence, 17, 167 
finite term, 136 

finite variability, 15, 17, 42, 44, 45, 50, 
97, 110, 159, 168, 203 
Fischer’s mutual exclusion protocol, 19, 
109 

fixed point, 180 
fiexible 

- formula, 27 

- term, 27 
formula 

- duration calculus, 43 

- interval logic, 23, 26 

- neighborhood logic, 191 

- probabilistic duration calculus, 215 

- state transition calculus, 148, 150, 
170 

- superdense state transition calculus, 
170 



free 

- for X in </>, 28, 34 

- for X in 0(X), 47 

- variable, 27 

fully closed language, see language 
function, see global 

gas burner, 2, 5, 7, 8, 10, 13, 44, 60, 
101, 105, 125, 146, 160, 209, 211, 219 
global 

- function, 23, 24 

- relation, 23, 24 

- variable, 23-25, 176 

H-triple, 91 
halting problem, 113 
Heine-Borel theorem, 93 
history independence, 16 
Hoare logic, 20 

hybrid automaton, see automaton 
hybrid statechaxts, see statecharts 
hybrid system, 3, 9, 16-19, 190 

implementables, 20 
induction 

- base case, 45 

- hypothesis, 45 

- letter, 45 

- rules, 45, 90, 97, 203 
inertial delay, 153 
inference rules, 27 

- neighborhood logic, 195 

- probabilistic duration calculus, 210, 
216, 218 

- superdense state transitions, 171 
infinite term, 136 

infinitude, 202 

initial probability mass function, 211 
integer programming, 20, 144 
interpretation 

- discrete, 99, 102, 213 

- duration calculus, 42, 93, 96 

- interval logic, 25, 96 

- partition, 107 
interval, 9 

- closed, 70 

- discrete, 99, 102, 213 

- infinite, 18, 190 

- left open, 70 

- length, 10, 17, 23 

- logic, 9, 21, 23, 41, 189, 191 

- modality, see modality 

- open, 70 

- prefix, 39, 43, 193 
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- right open, 70 

- signed interval logic, 17, 20 

- suffix, 193 

- variable, 9 

interval logic, see interval 
Isabelle, 20 
iteration operator, 18 

Kripke model, 203 

language 

- contraction-closed, 106 

- expansion-closed, 107 

- fully closed, 107 

- regular, 102, 129, 131, 132 
length, 10 

linear duration invariant, 125, 133 

- satisfied or violated by a language, 
135 

- satisfied or violated by a timed 
sequence, 134 

- satisfied or violated by an automaton, 
135 

- satisfied or violated by an untimed 
sequence, 134 

linear programming, 20, 126, 128, 134, 

143 

Liu and Layland’s Theorem, 76 
liveness, 12, 13, 185, 204 

Markov property, 210 
matrix scalar product, 219 
mean value, 15, 145 
metric temporal logic, see temporal 
logic 

mixed integer programming problem, 

144 

modal logic, 10, 29 
modality, 10 

- chop, 11, 12, 17, 24, 26, 157, 169, 
170, 189, 190, 193 

- chop (discrete time), 99 

- contracting, 12, 17, 189 

- expanding, 12, 17, 190 

- interval, 10, 190, 193 

- neighborhood, 13, 16, 17, 190, 191 

- subinterval, 11, 12, 24 

- superdense chop, 17, 18, 169, 170 
modality free, 196 

model checking, 20, 125 
//-operator, 18 

natural numbers, 61 



neighborhood, 148, 151, 157, 159, 165, 
168, 190 

neighborhood logic, 13, 189 
non- Zeno phenomenon, 15 
nonelement ary complexity, 109 
NOR circuit, 152 

normal form (of regular expression), 
136, 141, 142 

OCCAM, 19, 175 
cj-rule, 20, 97, 203, 204 

parallel processes, 175 

partial correctness (of program), 185 

partition of an interpretation, 107 

periodic request, 69 

phase automaton, 105 

PLC automaton, 19 

post-state, 126, 132 

pre-state, 126, 132 

precedence, 24 

predicate logic, 28, 34, 196 

prefix interval, see interval 

probabilistic automaton, see automaton 

probabilistic duration calculus, 22, 215 

probabilistic space, 213 

probability function, 212 

probability matrix, 219 

program 

- refinement, 19, 167 

- semantics, 19, 180 

- specification, 19, 185 

- states, 176 

- variables, 175 

- verification, 19, 188 
proof, 34 

- duration calculus, 46 

- interval logic, 28 

- neighborhood logic, 196 
proof assistant, 20, 109 
proof system 

- duration calculus, 45 

- interval logic, 27 

- neighborhood logic, 194 

- neighborhood-logic-based DC, 204 

- probabilistic duration calculus, 216, 
218 

- state transition calculus, 154, 157 

- superdense transitions, 171 
punctuality, relaxing the, 118 
PVS, 20 

quantifier, 28, 34 

- exist (3), 24 
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- for all (V), 24 

- global variable, 28 

- state variables, 177 

RAISE, 19 

readiness variable, 176 
real analysis, 6, 16, 190, 191 
real arithmetic, 24, 28, 34, 89, 196, 201 
real time, 3 

real-time automaton, see automaton 
real-time logic, 7 
real-time programming, 18, 167 
real-time scheduler, 19 
real-time semantics, 19 
real-time specification, 19 
real-time system, 1, 14, 18, 145, 148, 
166, 209 

real-time verification, 19 

reduction, 135 

refinement, 20 

regular context, 135 

regular language, 102, 129, 131, 132 

relation, see global 

relative completeness, 20, 204 

- duration calculus, 45, 89, 96, 97 

- state transition calculus, 159 
restricted duration calculus {RDC), see 

duration calculus 
rigid 

- formula, 27, 35 

- term, 27 

S', 27 
S4, 29 

safety, 12, 189 

satisfaction probability, 213 

satisfiability 

- discrete time, 100 

- duration calculus, 43, 44, 69, 111, 
114, 118, 122, 125 

- interval logic, 26 

- neighborhood logic, 192 

- prefix intervals, 43 

- state transition calculus, 148 
SDL, 19 

semantics 

- chop, 26 

- duration calculus, 41 

- formula (duration calculus), 43 

- interval logic, 24 

- interval logic, terms, 26 

- neighborhood logic, 191 

- state duration, 42, 203 



- state expression, 42 

- state transition calculus, 148 

- state variable, 41 

- superdense chop, 170 

- superdense state transition calculus, 
170 

- temporal propositional letter, 25 

- temporal variable, 25, 41, 42 
sequential processes, 175 
shared processor, 68 

signed interval logic (SIL), see interval, 
signed interval logic 
single-step probability transition 
function, 211 

software-embedded system, see hybrid 
system 
soundness 

- duration calculus, 45-47 

- interval logic, 29 

- neighborhood logic, 196, 203 

- state transition calculus, 159 
stability of state, 14, 165, 169 
stable, 169 

state, 4 

- Boolean, 4, 14 

- consistent, 171, 172, 174 

- distance between, 7 

- duration, 6, 10, 17, 41, 42, 170, 203 

- expression, 41, 42, 177 

- real, 5, 14, 16 

- sequence, 212 

- stablility, 14, 165, 169 

- superdense transition, 165, 170 

- transition, 14, 16, 132, 145, 149, 165, 
189, 204 

- variable, 41, 43, 68, 177 
state transition, see state 

state transition calculus, 147, 153, 157 
state variable, 93 
statecharts, 9, 167 

- hybrid, 190 
structural induction, 94 
superdense chop, see modality 
superdense computation, 17, 19, 166 
superdense state transition, 165, 170 

- calculus, 170, 173 
synchrony hypothesis, 17 
syntax 

- duration calculus, 41 

- interval logic, 23 

- neighborhood logic, 191 

- probabilistic duration calculus, 215 

- state transition calculus, 148 
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- superdense state transition calculus, 
170 

temporal logic 

- explicit clock, 7 

- metric, 7 

- of actions, 9, 190 

temporal propositional letter, 23 
temporal variable, 23, 34, 41, 42, 89, 91 
term 

- interval logic, 23, 24, 28 

- superdense transition calculus, 170 
termination, 185 

theorem 

- duration calculus, 46, 51 

- interval logic, 28, 34 

- neighborhood logic, 196 

time (in relation to state variables), 41 
time unit, 100, 102 
timed automaton, see automaton, 
timed 

timed sequence, 132 
timely progressive, 168 
timing constraint, 126 

- lower bound, 132 

- upper bound, 132 

TLA, see temporal logic, of actions 
tools, 20 

trace variable, 176 



transition, see state, transition 
transition formula, 147, 148, 150, 170 
transmission delay, 153 
two-counter machine, see counter 
machine 

undecidability. 111, 125 

- continuous time, 112 

- discrete time, 112 
untimed sequence, 132 

validity 

- continuous time, 106 

- discrete time, 100, 106 

- duration calculus, 43, 44, 69, 111, 
114, 118, 122, 125 

- interval logic, 26 

- neighborhood logic, 192 

- prefix intervals, 43 

- RDC, 104 

- state transition calculus, 148 
value assignment, 25, 170 

- x-equi valent, 25 
variable, see global 
Verilog, 19 

a:-equi valence of value assignment, 25 
Zeno phenomenon, 17, 167 
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